* Posts by MarkItZer0

7 posts • joined 23 Oct 2015

Before you high-five yourselves for setting up that bug bounty, you've got the staff in place to actually deal with security, right?


Re: She's missing the most fundamental step

It doesn't assume that. She's referring to managed bug bounty programmes where Hacker One, Bugcrowd et al, triage the incoming issues. More real issues means more money made by the bug management platform.

Pupil mental health monitor promises app rewrite after hardcoded login creds discovered


Re: Every company after a data leak

Of course never on purpose... However, you will probably know that pentesting engagements are extremely limited in time and scope. Therefore, if we find say xss in a few locations we report those with examples, but won't go around the site finding every single instance. The client with access to their own code base is better positioned to do that.

Time is better spent finding other vulnerabilities imo. Better a report that finds 10 different things than 1 thing but highlights every instance. Often these vulnerabilities are found manually rather than by automated scanners.

Pentesting engagements are on average 4 days including report, so not everything can be uncovered in that time, especially on a system resembling Swiss Cheese. We don't know how much we'll find until the testing window starts you see.


Re: Every company after a data leak

If privacy and security were absolute priorities, then this wouldn't have happened.

I'm a pentester and it reminds me of a client that believed it wasn't possible to develop secure software, and the only possible method of making something secure was to give it to the pentesters once complete. He was moaning at the fact we kept finding things on each retest, therefore we should only test the exact things found last time so that they could get a clean report.

Breach at UK.gov's Cyber Essentials scheme exposes users to phishing attacks


Nope. Going public is completely optional on the CREST scheme.

Two years ago, 123-Reg and NamesCo decided to register millions of .uk domains for customers without asking them. They just got the renewal reminders...


Total scum

Just like when they charge extra for "domain registration privacy" (and also automatically at renewal), which is now a given due to GDPR so is free.

I had to contact GoDaddy for each domain to get them to remove it, but even still they played the FUD card and pretended that it still offered privacy above and beyond that of the current GDPR requirements. After persisting I got them to remove it from my accounts and refund what they'd already taken.

How the HTTPS-snooping, email addy and SSN-raiding HEIST JavaScript code works


Re: As a client, there is not much you can do.

This makes it more difficult, but not impossible.

With enough requests made, the randomness will even out over time into an average. Therefore, each reflected value can be repeated a number of times to find out how it averages.

Chaos at TalkTalk: Data was 'secure', not all encrypted, we took site down, were DDoSed


As secure as possible != encrypted

Encryption is not a magic, all securing operation - it doesn't mean that data retrieved from the database is automatically rendered unusable. If the data was encrypted at database server or OS level (which is fine under PCI DSS), and there was an application exploit used to extract it (say SQL injection), then the database and OS would dutifully decrypt the data for the application's use, therefore the security flaw would mean the hacker gets the decrypted data anyway.

The focus should be on application security rather than on encryption. It is possible to encrypt database rows and columns using a key from the application server. However, again as the application server needs to encrypt/decrypt per query, a SQLi attack will probably succeed. It is possible, although very difficult in practise, to implement row encryption in a web application. Complexity is the enemy of security - keep things simple and concentrate on security testing and plugging those vulnerabilities rather than adding unnecessary encryption to stored data.


Biting the hand that feeds IT © 1998–2019