You are using an unsupported browser. For your best experience, we recommend Chrome, Firefox, Edge or IE 11+.
INTELLIGENT
RISK PREVENTION

We are strong believers in technical excellence and count with extensive experience in delivering complex projects for large customers from different industries.

WATCH OUR VIDEO

ABOUT US

COMPANY
COMPETENCIES

Blaze Information Security is a privately held, independent information security firm born from years of combined experience and international presence. With offices in Brazil and Estonia, Blaze has a team of senior analysts with past experience in leading information security consulting companies around the world and a proven track record of published security research.

We are strong believers in technical excellence and count with extensive experience in delivering complex projects for large customers from different industries such as financial, telecommunications, technology, government and e-commerce. We guarantee the best results to meet your security demands.

The passion for Information Security drives us, and is shared by all members of our team.

Present in Brazil and Estonia, our professionals contributed with major companies around the world and possess the indispensable know-how to deal with projects of great complexity and criticality.

The analysts of Blaze Information Security are certified with Offensive Security Certified Professional (OSCP), CREST CRT (CHECK Team Member) and Cisco CCNA. They are also responsible for the publication of 10 CVEs (Common Vulnerabilities and Exposures) thus far.

BRAZIL
ESTONIA

THE COMPANY

Blaze Information Security is a privately held, independent information security firm born from years of combined experience and international presence. With offices in Brazil and Estonia, Blaze has a team of senior analysts with past experience in leading information security consulting companies around the world and a proven track record of published security research.

We are strong believers in technical excellence and count with extensive experience in delivering complex projects for large customers from different industries such as financial, telecommunications, technology, government and e-commerce. We guarantee the best results to meet your security demands.

BRAZIL
ESTONIA

COMPETENCIES

The passion for Information Security drives us, and is shared by all members of our team.

Present in Brazil and Estonia, our professionals contributed with major companies around the world and possess the indispensable know-how to deal with projects of great complexity and criticality.

The analysts of Blaze Information Security are certified with Offensive Security Certified Professional (OSCP), CREST CRT (CHECK Team Member) and Cisco CCNA. They are also responsible for the publication of 10 CVEs (Common Vulnerabilities and Exposures) thus far.

SOLUTIONS

SERVICES
PRODUCTS

EXTERNAL INFRASTRUCTURE PENETRATION TEST

Is it possible to penetrate and have unauthorized access to your organization via the Internet?

External penetration test consists in identifying vulnerabilities and threats that your business may face from the perspective of an external adversary.

Security tests are developed through the controlled attack simulation and tailored to our client's business. The main objective of this service is to be ahead of the game of actions commited by criminals and malicious hackers, such as financial fraud, sabotage, unauthorized access, leakage of data and sensitive information, espionage, denial of service attacks and others.

Also, the results of a penetration test can be used for audit processes that require security testing, like PCI DSS and ISO/IEC 27001.

INTERNAL INFRASTRUCTURE PENETRATION TEST

Is your corporate IT environment protected against insider threat?

This type of security testing aims to identify and examine threats and vulnerabilities that may cause a negative impact to the business from the perspective of a potential internal attacker. The tests are developed in a way to simulate well-coordinated attacks under the scenario where an internal agent, such as a disgruntled employee, who has some basic access to the internal network.

Several financial fraud and other threats stem from the exploitation of vulnerabilities present within the internal infrastructure.

SECURITY TESTING OF WEB APPLICATIONS

Plug the gap for frauds and data leakage

Many corporate network breaches start with insecure web applications due to a number of factors, among them: large quantity of different technologies, short development deadlines leading to the introduction of security defects.

The aim of web application security testing is to identify vulnerabilities that can cause direct interference to the continuity and resilience of the business, such systems often hold sensitive information, processes, strategy and other resources considered vital to an organization. The assessments are performed by our expert analysts in a manual fashion and, when necessary, aided by the development of custom tools and scripts specific to each application under test. With the result of the analysis our clients can protect their assets and direct the efforts to mitigate the identified issues, enhancing the robustness and bolstering the resilience of the application against cyberattacks.

MOBILE APPLICATION SECURITY ASSESSMENT

Your business may be in wrong hands

The meteoric rise of business-critical mobile apps brings new risks for organizations that rely on mobile devices and applications on a daily basis. Another risk factor for mobile application is the current security maturity level for such platforms -- many risks are still not well understood and the lack of well-established security practices and frameworks, as well as the overall lack of maturity of application developers make the mobile world more prone to vulnerabilities than others.

Penetration test of mobile apps involve simulating the actions of a skilled attacker to identify vulnerabilities both in the application's supporting infrastructure (backend APIs and databases), in the communication between the app and the server, and an analysis of the application per se, along with its interaction with the device.

With the results of the analysis the organization can improve the security of its business-critical mobile applications and reduce the risk to minimum levels.

Security review of desktop and kiosk solutions (Citrix, Terminal Services)

 

With the growing popularity of thin clients and virtualized remote environments, it is common that companies adopt some sort of remote access solution like Citrix or Terminal Services. In general these systems are configured to allow access only to the applications the user needs to perform his or her duties, for example to use a spreadsheet software or a web browser.

In many cases the configuration of the restricted environment is not locked down enough and may have holes, or implementation issues, allowing a user to escape the restrictions imposed by the environment and obtain unauthorized access to other parts of the system such as command prompts, filesystem, and others. This turns the system a potential vector of attack to the internal network.

Blaze Security performs privilege escalation tests of restricted environments and kiosks in order to better illustrate the risk a misconfigured technology might bring to your organization and help you with best practices and procedures to protect your environment.

Vulnerability management

We focus on security - you, on your business

The constant discovery of new vulnerabilities brings new challenges to the security management of an organization. To keep your IT staff up-to-date with the latest cybersecurity trends and threats usually requires a massive financial investment and time.

With the intent to help our clients in this matter, our vulnerability management service periodically monitors the security prosture of your IT infrastructure, web and mobile applications to identify the level of risk they may bring to your organization.

The analysis takes place in a daily basis, where our consultants perform security tests against the systems under scope. When a vulnerability is identified, the client's IT team is immediately notified through the dashboard of our in-house developed VMS (Vulnerability Management System).

Why to hire our vulnerability management services?

  • The consultants of Blaze Information Security are constantly updated about new vulnerabilities and cybersecurity trends
  • Our clients can have a 360 degrees vision of the risk their IT infrastructure may be exposed to
  • We assist the client during the entire process of fixing the vulnerabilities
  • Reduce the inherent risk posed by exploitable vulnerabilities
Our vulnerability management service was designed to work in a modular fashion -- that said, our clients can opt for a continuous security management specific to the relevant technologies of their business.

  • VULNERABILITY MANAGEMENT OF WEB APPLICATIONS

    With this service the client defines a set of web applications to be continously tested. These applications will be subjected to automated tests with manual-based validation of the vulnerabilities encountered. These tests have a strong focus on OWASP Top 10 but is also augmented by other issues commonly encountered in our engagements, providing a large coverage of the attack surface exposed by the application.

  • VULNERABILITY MANAGEMENT OF MOBILE APPLICATIONS

    The client defines a set of files and Android and iOS applications that will be scanned in a continous and automated fashion, with its findings validated by one of our analysts.

  • INFRASTRUCTURE VULNERABILITY MANAGEMENT

    Our vulnerability management offering for infrastructure allows the client to choose a set of infrastructure assets (servers, routers, switches, wi-fi devices) that will be scanned automated, always under the supervision of a human security analyst.

Source code review

A close look on your weaknesses

The existence of software vulnerabilities originate in the source code. Our analysis consists in performing a code scanning using security-focused static analysis tools and manual analysis to identify vulnerabilities that can pose a serious risk to the application and business.

Incident response

Knowing that it happened is not enough, it's necessary to know how it happened

The diversification of applications on the Internet has been accompained with the rise in the number of security incidents. The severity of an attack may vary, and in some cases it might cause serious operational impact in the business, ultimately causing major financial losses.

Incident response is the rapid reaction team used to manage the consequences of a breach. The main objective of an incident response is to minimize the impact of a security compromise and allow a rapid recovery of the systems, guaranteeing business continuity, as well as investigate the root cause of the breach and improve the security posture of the systems in order to reduce the risk of successful incidents in the future.

Product security assessment

Does this new appliance or software in my network expose me to unnecessary risks?

Blaze Information Security offers security assessments of products developed in-house or that are commercial off-the-shelf.

The assessment consists in the evaluation of all security aspects that will be impacted by a new application or device that will be inserted in the corporate network. A detailed analysis of the attack surface of the product under test is performed, taking into consideration its security expectations and objectives and threat model. In general, product security aims to verify the resilience of all components of the product under test -- typically, this service is composed of infrastructure testing, code review, architecture analysis and application security, as well as the creation of bespoke scripts and custom tools for analysis, such as fuzzers.

Our offering benefits vendors that want their product to be evaluated from a security point of view before it is shipped to the market, and for organizations that want to make sure that bringing in another appliance or software to their network will not cause an adverse impact to its security posture.

Training and education

Knowledge as prevention of losses

We offer trainings with variable duration and depth to help developers to improve the security of their code.

At present we offer trainings in the following areas:

  • Web application security testing
  • Mobile application security testing
  • Secure development of web applications
  • Secure development of mobile applications

SOON.

WILDFIRE LABS

ADVISORIES
TOOLS
PUBLICATIONS
BLOG

CVE-2007-5805

Alex DeLarge — 2007

cfgcon in IBM AIX 5.2 and 5.3 does not properly validate the argument to the "-p" option to swcons, which allows local users in the system group to create an arbitrary file, and enable...

VIEW

CVE-2006-4907

Julio Cesar Fort — 2006

OSU 3.11alpha and 3.10a allows remote attackers to obtain sensitive information via a URL to a non-existent file, which displays the web root path in the resulting error message.

VIEW

CVE-2005-2725

Julio Cesar Fort — 2005

The inputtrap utility in QNX RTOS 6.1.0, 6.3, and possibly earlier versions does not properly check permissions when the -t flag is specified, which allows local users to read arbitrary files.

VIEW

CVE-2004-1683

Julio Cesar Fort — 2004

A race condition in crrtrap for QNX RTP 6.1 allows local users to gain privileges by modifying the PATH environment variable to reference a malicious io-graphics program before is executed by crrtrap.

VIEW

CVE-2004-1390

Julio Cesar Fort — 2004

Multiple buffer overflows in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allow remote attackers to execute arbitrary code via a long argument to the...

VIEW

CVE-2004-1391

Julio Cesar Fort — 2004

Untrusted execution path vulnerability in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allows local users to execute arbitrary programs by...

VIEW

CVE-2004-1681

Julio Cesar Fort — 2004

Multiple buffer overflows in (1) phrelay-cfg, (2) phlocale, (3) pkg-installer, or (4) input-cfg in QNX Photon microGUI for QNX RTP 6.1 allow local users to gain privileges via a long...

VIEW

CVE-2004-1682

Julio Cesar Fort — 2004

Format string vulnerability in QNX 6.1 FTP client allows remote authenticated users to gain group bin privileges via format string specifiers in the QUOTE command.

VIEW

CVE-2003-0277

Julio Cesar Fort — 2003

Directory traversal vulnerability in normal_html.cgi in Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to read arbitrary files...

VIEW

BT2

Julio Cesar Fort — 2016

BT2 is a Python-based backdoor in form of a IM bot that uses the infrastructure and the feature-rich bot API provided by Telegram, slightly repurposing its communication platform to act as a C&C.

VIEW

ActiveEvent Burp Plugin

Tiago Ferreira — 2016

ActiveEvent is a Burp plugin that will continuously monitor Burp scanner looking for new security issues. As soon as the scanner reports new vulnerabilities, the plugin will generate an Splunk Event directly into its management interface using the Http Event Collector.

VIEW

Nginx Source Code Disclosure/Download

Tiago Ferreira — 2010

This module exploits a source code disclosure/download vulnerability in versions 0.7 and 0.8 of the nginx web server. Versions 0.7.66 and 0.8.40 correct this vulnerability.

VIEW

Apache Axis2 Local File Include

Tiago Ferreira — 2010

This module exploits an Apache Axis2 v1.4.1 local file inclusion (LFI) vulnerability. By loading a local XML file which contains a cleartext username...

VIEW

WordPress User Enumeration and Brute Force

Tiago Ferreira, Zach Grace, Christian Mehlmauer — 2010

WordPress Authentication Brute Force and User Enumeration Utility.

VIEW

Barracuda Multiple Product "locale" Directory Traversal

Tiago Ferreira — 2010

This module exploits a directory traversal vulnerability present in serveral Barracuda products, including the Barracuda Spam and Virus Firewall...

VIEW

Lotus Domino Password Hash Collector

Tiago Ferreira — 2010

Get users passwords hashes from names.nsf page.

VIEW

Lotus Domino Brute Force Utility

Tiago Ferreira — 2010

Lotus Domino Authentication Brute Force Utility.

VIEW

Improving Black Box Testing By Using Neuro-Fuzzy Classifiers and Multi-Agent Systems

Marcos Júnior, Fernando Neto, Julio César S. Fort — 2010

This work presents a neuro-fuzzy and multi-agent system architecture for improving black box testing tools for client-side vulnerability discovery, specifically, memory corruption flaws. Experiments show the efficiency of the proposed hybrid intelligent approach over traditional black box testing techniques.

VIEW

Rage Against the Kiosks

Tiago Ferreira — 2016

This presentation's goal was to demonstrate techniques that can be used to escape from restricted kiosks' environments. It was presented at RoadSec Recife.

VIEW

Commom security pitfalls of banking and financial applications

Julio Cesar Fort — 2016

The title is self-explanatory. Presented in the Rotterdam University of Applied Science.

VIEW

CONTACT US

PHONE

+55(81) 3132.0402

EMAILS
info@blazeinfosec.com
sales@blazeinfosec.com
ADDRESSES
BRAZIL (HQ) R. Visconde de Jequitinhonha, 279, Empresarial Tancredo Neves, S 701, Boa Viagem, Recife - PE
CNPJ: 24.043.764/0001-22 ESTONIA Sepapaja 6, Tallinn. ZIP 15551
VAT: EE101932598
Careers
Do you want to be part of our team? Send us an email to: careers@blazeinfosec.com