GNUCITIZEN

Oh yes, we certainly do! And let me tell you something: they ain’t going to be quite the same thing as what we are used to.

Back in the days all you needed was a poxy, a dummy scanner/spider just to lift of your back some of the repetitive and boring things, and your brain. You are pretty much settled. Today, you need to do things beyond that. Web technologies are just starting to show their ugly face and we are here to see/experience them for the first time. [...]

I am sure that by now you’ve seen/heard a lot of rants about how insecure cloud technologies are, etc. What worries me is that these claims are made by people who have never worked with cloud technologies and therefore have no clue on the subject whatsoever.

All of these claims actually have a common root. It is only logical to think that Gmail perhaps is less secure than your self-hosted email solution, for example. [...]

I’ve been using Ubuntu Server Edition for several years now as my pentesting toolbox platform. A few months ago, I also migrated my workstation to Ubuntu Desktop Edition. Recently, I also migrated my personal laptop to Ubuntu Desktop. I guess I’m officially an Ubuntu fan. W00t!

I’m not going to discuss the Ubuntu security model in detail, but in short, one of the highlights is that by default logged-in users run processes with restricted privileges. [...]

So let’s say that you decide to write a tool for doing some web related exploitation, enumeration, etc. The preferred language of choice comes down to perl, python ruby (C if you are an old school diehard).

It has to run from the command line. It has to have flags, etc, etc, and pretty much everything else a command line tool usually needs. [...]

It’s been a crazy month, so much going on! I had the pleasure of presenting my updated “Cracking into embedded devices” presentation at Hack.lu (Luxembourg) and Hack in the Box (Malaysia). I also had to give a talk on PCI DSS in London, which was a challenge as PCI DSS is not the most fun topic for me, trust me!

The best thing about assisting these kind of events is the technical discussions and exchange of ideas with not just other presenters but also attendees. [...]

Perhaps you are aware that we started a long and quite boring process which aimed to disintegrate all of our services, projects and products for the sake of better manageability, more granularity and in general improved quality.

We are very much on track although things have been moving quite slow lately. [...]

This morning I was reading an interesting article from Ryan Naraine (ZDNet Zero Day Blog) regarding a Facebook worm which uses RSS feeds and in particular Google Reader to strengthen its attack strategy. Interesting…

If you have been following GNUCITIZEN’s research and in particular this blog, you know this is not a big news since I’ve been describing the numerous web2.0 attack strategies countless of times. Perhaps you remember my paper on hacking Web2.0? [...]

Netsecurify is a free, automated information security testing tool which we exclusively offer to organizations and initiatives which desperately need security services but cannot afford to buy. In today’s market conditions this pretty much includes everybody. The Netsecurify project is very special to us. The following sequence of screenshots shows what it is inside.

Keep in mind that this is just a demo. For now, you have to start tests manually. [...]

The WP Blogsecurify 1.0 plugin is out. It was announced on the Blogsecurify blog and I am going to announce it here once again just in case you somehow missed the news.

WP Blogsecurify is a security plugin for Wordpress designed to integrate several simple but important security patches for the popular blogging platform. This plugin was developed by the Blogsecurify team - a special division of GNUCITIZEN Information Security Think Tank. [...]

According to Wikipedia: In hacker culture, a script kiddie is a derogatory term used for an inexperienced malicious hacker who uses programs developed by others to attack computer systems, and deface websites. It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs on their own, and that their objective is to try to impress their friends or gain credit in underground hacker communities. [...]