Tag: Security

Love letters from the red team: from e-mail to NTLM hashes with Microsoft Outlook

fisherman for blog

  Introduction A few months ago Will Dormann of CERT/CC published a blog post [1] describing a technique where an adversary could abuse Microsoft Outlook together with OLE objects, a feature of Microsoft Windows since its early days, to force the operating system to leak Net-NTLM hashes. Last year we wrote a blog post [2] […]

Jury.Online smart contract security audit

Webp net compress image

Introduction This blog post presents the results of a security audit of a smart contract performed by Blaze Information Security, and made public on behalf of the client Jury.Online. This post contains the very same information and findings present in the report released at the end of March 2018. The audit was performed by Victor […]

ANNI tokens smart contract security audit

Webp net compress image

Introduction This blog post presents the results of a security audit of a smart contract performed by Blaze Information Security and made public on behalf of the client Array.io (formerly known as Annihilat.io). This post contains the very same information and findings present in the report published at the end of December 2017. The audit […]

Fuzzing proprietary protocols with Scapy, radamsa and a handful of PCAPs

wizard logo B web 1

Introduction As security consultants, we act as hired guns by our clients to perform black-box security testing of applications. Oftentimes we have to assess the security of applications that use their own proprietary schemes for communication, instead of relying on conventional protocols such as HTTP. Recently we were faced with a short-term engagement that involved […]

Practical attacks against GSM networks (Part 1/3): Impersonation

blaze gsm

Introduction The Global System for Mobile Communications (GSM) is a mobile technology and the most popular standard for mobile phones worldwide. Originally known as Groupe Spécial Mobile, the GSM came through the CEPT (Conférence des Administrations Européenes des Postes et Télécommunications), that in 1982, worked to develop a standard for European digital cellular telecommunications. In […]

Turning Burp Scanner vulnerabilities into Splunk events

blaze ilustra 4 wild

Introduction Splunk is a fully featured, powerful platform for collecting, searching, monitoring, and analyzing machine data. It is widely used by Security Operation Center (SOC) teams to provide advanced security event monitoring, threat analytics, incident response, and cyber threat management. Burp Suite is a must-have web application attack proxy tool used by security analysts around […]

A survey on the usage of HTTP security headers in Brazil and Estonia

photo 2016 05 13 15 10 33

Introduction In recent years a number of security-oriented client-side controls for web browsers appeared in the scene in form of security headers. These headers can be used to improve the security of the user experience when interacting with a web application with little additional effort and negligible performance overhead — essentially, they can serve as […]