This website uses cookies to ensure you get the best experience. More Information...


Information Security User Guide

This Information Security Guide is meant for all users in the organization. The Guide summarizes the most central basic issues of information security and gives practical advice for the implementation of information security in one’s own work. If you need more information you should first check the organization’s IS Policy manual. Link to guideline

Risk Analysis – A valuable tool for organizations / comparative analysis

Over the past few years, there has been a rapid development of Global IT infrastructures, which has fundamentally shifted the way information is managed today. In this dynamic environment, new dependencies and new risks are born. Information is a valuable business asset and organizations must make sure that information remains available and trustworthy yet protected […]

Obrela Security Industries Advisory (OSI-1402)

Advisory ID  OSI-1402 Description Twelve vulnerabilities exist on ettercap-ng which allow remote denial of service and possible remote code execution. Specifically, the following vulnerabilities were identified: A Length Parameter Inconsistency at ettercap 8.0 dissector_postgresql() which may lead to remote code execution or denial of service. An arbitrary write of zero in to any location at […]

Multiple vulnerabilities identified on Aircrack-ng

About a month ago I identified four vulnerabilities in Aircrack-ng suite. A brief but technical description may be found below. Furthermore, references on the proof-of-concept exploit code and the OSI advisory maybe be found at the end of this article. CVE-2014-8322 One of them could lead to remote code execution. Specifically in aireplay’s tcp_test function […]

Obrela Security Industries Advisory (OSI-1401)

Advisory ID OSI-1401 Description Four vulnerabilities exist on aircrack-ng <= 1.2 Beta 3 which allow remote/local code execution, privilege escalation and denial of service. Specifically, the following vulnerabilities were identified: A stack overflow at airodump-ng gps_tracker() which may lead to code execution, privilege escalation. A length parameter inconsistency at aireplay tcp_test() which may lead to […]

Critical vulnerability on Drupal 7

Today a vulnerability was disclosed under CVE-2014-3704 / SA-CORE-2014-005 on the Drupal <7.32 that allows an unauthenticated attacker to execute arbitrary SQL. The Proof of Concept was disclosed and involved the SQL update of the user with UID=1 (admin). Where is this based? It exists (ed) in the Drupal core. Drupal 7 includes a database […]

POODLE attack or the end of SSLv3

Google has recently disclosed a (new?) SSLv3 vulnerability that allows an attacker controlling the SSL-encrypted network stream between client and server to extract the plaintext of specific parts of the communication, most “preferable” cookies. Does it have to do with BEAST again? Due to the well-known insecurities of SSL researchers have speculated the existence of […]

Critical GNU Bash Vulnerability

On Wedneday, 24 September 2014, a new and very powerful vulnerability affecting Linux and Unix-based systems was published (CVE-2014-6271). The vulnerability allows attackers to execute system commands on vulnerable systems and potentially compromise the integrity, availability and confidentially of information.  At the time of this writing, the vulnerability is used for malicious intentions including infecting […]

Integrating People Process and Technology

Being in and remaining in a “secure state” requires a continuous process of awareness, preparedness and readiness. It is a highly demanding, cross-domain activity that covers nearly all aspects of an organization and involves resources with different skills and levels of expertise. The triumvirate of People, Process and Technology are mandatory to achieve and maintain […]