In a brief yet fascinating press release, Europol just announced the arrest of an Italian man who is accused of “hiring a hitman on the dark web”. According to Europol: The hitman, hired through an internet assassination website hosted on the Tor network, was paid about €10,000 worth in Bitcoins to kill the ex-girlfriend of the […]

IETF has formally deprecated the TLS 1.0 and TLS 1.1 cryptographic protocols because they lack support for recommended cryptographic algorithms and mechanisms The Internet Engineering Task Force (IETF) formally deprecates Transport Layer Security (TLS) versions 1.0 (RFC 2246) and 1.1 (RFC 4346). Both versions lack support for current and recommended cryptographic algorithms and mechanisms. TLS […]

If you type in securityboulevard.com, Chrome version 90 will send you directly to the secure version of the site. Surprisingly, that’s not what it currently does—instead, Google’s web browser relies on the insecure site to silently redirect you. That’s slow. And it’s a privacy problem, potentially. This seemingly unimportant change could have a big—if unseen—impact. So long, cleartext web. In […]

CSRF arises because of a problem with how browsers treat cross origin requests. Take the following example: a user logs into site1.com and the application sets a cookie called ‘auth_cookie’. A user then visits site2.com. If site2.com makes a request to site1.com, the browser sends the auth_cookie along with it. Normally this doesn’t matter, if […]

Google has demonstrated exploiting the Spectre CPU attack remotely over the web: Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector. We […]

HTTPS secures the connection to the website you are visiting. I’m sure you have seen this in action; look at the address bar in the browser and find the lock icon on the left-hand side. Is the lock closed? Then the connection is secure. Is it open, or is there another type of icon or […]

Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code. Patch now, we said. And we’re saying it again, following Google’s otherwise cheery release of version 89.0.4389.72: The Chrome team is delighted to announce the promotion of Chrome 89 […]

Digital ad company Confiant, which claims to “improve the digital marketing experience” for online advertisers by knowing about and getting rid of malicious and unwanted ads, has just published an analysis of a malvertising group it calls ScamClub. According to Confiant, this group is behind a massive number of those annoying and scammy popup campaigns you will almost […]

Interesting research on persistent web tracking using favicons. (For those who don’t know, favicons are those tiny icons that appear in browser tabs next to the page name.) Abstract: The privacy threats of online tracking have garnered considerable attention in recent years from researchers and practitioners alike. This has resulted in users becoming more privacy-cautious and browser vendors […]

PayPal has fixed a reflected cross-site scripting (XSS) vulnerability that was discovered in the currency converter feature of user wallets on February 19, 2020, close one year ago. The ‘reflected XSS and CSP bypass’ vulnerability was reported by the bug bounty hunter “Cr33pb0y” through the HackerOne platform. “An endpoint used for currency conversion was found […]

An Introduction to Web Shells

The internet has come to be so developed, complex and ‘intelligent’ that, at present, you could say it is alive (like Skynet or The Matrix predicted?). Billions of people are online, every day, using the internet for work, entertainment, advice, you name it -it’s probably on the internet. We are now in the age of Artificial Intelligence and Big Data (or […]

This book begins by taking the reader to the 30,000′ view, so you can start to see the entire security landscape. I then attempt to explain a very simple threat modelling approach that I believe Bruce Schneier created, called the Sensible Security Model (SSM). We take the learnings from the first chapter and apply them […]

Penetration Testing is a method that many companies follow in order to minimize their security breaches. This is a controlled way of hiring a professional who will try to hack your system and show you the loopholes that you should fix. Before doing a penetration test, it is mandatory to have an agreement that will […]