Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers – is the security community’s go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Reflected File Download - A New Web Attack Vector

PLEASE NOTE: As promised, I've published a full white paper that is now available for download: White paper "Reflected File Download: A New Web Attack Vector" by Oren Hafif. On October 2014 as part of my talk at the Black...

Bitcoin Transaction Malleability Theory in Practice – Blackhat USA 2014

***UPDATE: 10/17/2014 A demonstration of Bitcoing transaction malleability using PUSHDATA2 is now available: The demonstration was created by Daniel Chechik, Rami Kogan and Ben Hayak. *** This August we (Daniel Chechik and Ben Hayak) gave a talk at Blackhat USA...

Touchlogging Part 3 - Final Thoughts

This is the third and final part on the subject of Touchlogging. I do recommend reading part one and part two before reading this final part. The previous parts described the technical details of the touchlogging attacks. In this part,...

Touchlogging Part 2 - Android

This is part two in my Touchlogging series, you can find part one here. In part one, I wrote a little bit about the background and how to intercept touch events on jailbroken iOS. This part will focus on Android....

Touchlogging Part 1 - iOS

Although there have been numerous articles posted, I thought I would write about my recent presentation at the RSA Conference on the subject of touchlogging. Since many people have asked, I got the term touchlogging from this paper. I do...

Trustwave SpiderLabs at OWASP’s AppSec USA 2013

Will you be at the OWASP Foundation's AppSec USA event next week in New York City? If so, be sure to stop by our booth, number one, for a chance to win a Pebble Smartwatch. And don't miss presentations by...

The Way of the Cryptologist

Right before DEF CON, a friend of mine reached out to me to ask if I would write a crypto challenge for his CTF. While it was a busy time for me, I didn't want to pass up the chance...

Introducing RDI – Reflected DOM Injection

The other day at DEFCON 21 we (Daniel Chechik and Anat Davidi) gave a talk introducing a new technique for delivering exploits by utilizing popular websites, we named the technique RDI which stands for "Reflected DOM Injection", and we explained...

Spiders Are Fun!, DEF CON's 21, Come Chat at Black Hat

Security week in Las Vegas will be here before we know it. The SpiderLabs team will be busy: talks (see a list below), a team meeting and our annual Spiders Are Fun! Party (reach out to your SpiderLabs contacts to...

Hooked on Packets: Reading PCAPs for D Students - Preview

SOURCE Boston is coming up in April, and Mike Ryan and I are giving a presentation about making packet analysis easier for the masses. One of the challenges with building new protocol parsers for tools such as Ettercap and Wireshark...

My 2013 RSA Conference Keynote the Jimmy Kimmel Influence

A few months ago, I was asked to present a keynote at RSA Conference 2013. This was a rather intimidating request given I was in a lineup that included Vint Cerf, Dr. Condoleeza Rice, Jimmy Wales and Andy Ellis. For...

Fraud, Passwords, and Pwnage on the Interwebz

This past weekend I was lucky enough to attend Microsoft's BlueHat Conference in Redmond WA and Security B-Sides Seattle. The combination of some of those talks succeeded in keeping some persistent issues alive in the hopes of finding a solution....

Finding Zero Days Reading Your Mind in the Year 2052

A number of months ago, I was approach by the organizers of TEDxNaperville to speak at their next event. Until this time, I was loosely familiar with TED* and had heard many other people talk about the great talks they...

How to Hack and Not Get Caught

The following thoughts on internal network penetration strategies are drawn from "OPFOR 4Ever," which I'll be presenting later this week with my colleague Chris Pogue at Microsoft's BlueHat Security Conference. Network penetration testers love to complain about the unrealistic scope...

Wherever you come from, you can meet BeEF

This year I've been very busy in terms of conferences, and developing/coordinating new features for BeEF. The move to GitHub has been successful: we are receiving many pull requests from our users, and we encourage everyone to do it. If...

Vulnerability Spidey Sense - Demystifying PenTesting Intuition

In Louisville, Kentucky next month at Derbycon, Daniel Crowley and I will be giving our presentation Vulnerability Spidey Sense - Demystifying PenTesting Intuition. The point of the talk will be that little mistakes and small vulnerabilities in a web application...

The Patsy Proxy: Getting others to do your dirty work

Patsy (slang) - A person easily taken advantage of, cheated, blamed, or ridiculed. My girlfriend (@savagejen) and I will be presenting at Derbycon this year about some research we've done into systems not configured as proxies, but which will pass...

DEF CON 20: French Fry, Pizza, or Rotten Apples?

If you currently do a search online for a female's perspective about DEF CON, everything is coming up sexual harassment. I've been asked a dozen times about my experiences in the past week alone and I can't say anything overly...

Stay Connected


Subscribe

Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.


Trending Topics