Security Blog

Unicode for Security Professionals

Unicode for Security ProfessionalsUnicode is the de-facto standard for multilingual character encoding. UTF-8 is the most popular encoding used that supports its hundreds of thousands of characters. Aside from the encoding (byte representation of characters), Unicode defines multiple transformations that can be applied to characters. For instance, it describes the behavior of transformations such as Uppercase. The character known as Long S “ſ” (U+017F) will become a regular uppercase S “S” (U+0053). Unexpected behavior for developers can often lead to security issues. Today, we will dive into the case mapping and normalization transformations. You will see how they can contribute to logic flaws in code.

read more

The Easy Way in for Attackers: Passwords

PasswordsAs part of our research on Cybersecurity Perceptions Versus Reality, we developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity based in Canada, on the perceptions and practices of cybersecurity professionals. The survey aimed at understanding how defenders perceive specific security measures and whether these measures were implemented in their respective organizations. We then combined the survey results with our penetration testing experience to confront two perspectives: the defenders’ and the pentesters’, the latter standing as proxies for real attackers. This blog post summarizes the results related to password policies.

read more

Defenders versus Pentesters on Multifactor Authentication

Cybersecurity Perceptions Versus RealityAs part of our research on Cybersecurity Perceptions Versus Reality, we developed a survey in collaboration with Serene-risc, a knowledge mobilization network in cybersecurity based in Canada, on the perceptions and practices of cybersecurity professionals. The survey aimed at understanding how defenders perceive specific security measures and whether these measures were implemented in their respective organizations. We then combined the survey results with our penetration testing experience to confront two perspectives: the defenders’ and the pentesters’, the latter standing as proxies for real attackers. This blog post summarizes the results related to multifactor authentication.

read more

Research on Perceptions vs Reality in Cybersecurity

Cybersecurity Perceptions Versus RealityA disconnect exists between how defenders perceive the value of their implemented security controls, and the most common attack vectors leveraged by penetration testers acting as potential attackers. Today, we are excited to release Cybersecurity Perceptions Versus Reality, a report that highlights the key results of a two-year long study that aimed at understanding this disparity.

read more

Vera Vulnerable to Authenticated Remote Code Execution (CVE-2019-15123)

An Authenticated Remote Code Execution (RCE) vulnerability was discovered on Vera, a platform for digital asset management used in the printing industry. The application allows an authenticated user to change the logo on the Website. An attacker can use this feature to upload a malicious (.aspx) file and gain remote code execution on the server.

read more

Categories

Pin It on Pinterest