The Unexpected Benefits of Threat Modeling
Threat modeling is a disciplined approach to technology design that identifies security threats and design constraints to prevent security flaws before they manifest in your platform.
Vulnerability Research and the Importance of Supporting Young Talent
This is a story with a happy ending where we were able to get back to the collaboration from the early open disclosure days, utilize modern practices to ensure responsible handling of the information, and allow a young person to make a positive contribution to infosec.
TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak
We discovered a fundamental design problem in VPNs and we're calling it TunnelVision. This problem lets someone see what you're doing online, even if you think you're safely using a VPN.
When You Have No Bars
A major network update failure led to a massive cellphone service outage across the US, impacting thousands and disrupting essential services. Despite cellular networks’ redundancy, the incident highlighted vulnerabilities in communication infrastructure when multiple base stations fail simultaneously.
WebSockets and Meteor: Attacking Meteor Applications with eighthundredfeet
A starting point for a comprehensive pen test on any application written using the Meteor framework. In addition to exploiting some of the framework’s inherent vulnerabilities, it contains a set of classes that can help script a variety of attacks.
WebSockets and Meteor: Introduction to WebSockets for Penetration Testers
Most penetration testers know that common web security tools have limited support for WebSocket, but the differences between HTTP and WebSocket run much deeper than that. A successful penetration test on a WebSocket app requires a conceptual understanding of the protocol’s design.