Cyberis is an innovative information security consultancy which was formed in 2011. Cyberis' founders have 30 years of experience between them working in the information security industry and are able to call upon a wide range of skills and abilities.
I find myself writing this blog today as there are only a few references on the internet to user enumeration attacks via timing discrepancies, despite almost every site I've tested in my career being vulnerable to the weakness.
The issue is fairly obvious from the title; an application log-in response takes differing amount of times depending on whether or not the user is valid. But why?
This is a technical blog post on using trusted online services as a delivery and command and control (C2) channels in simulated attack scenarios. Written by Geoff Jones - Director and Simulated Attack Specialist at Cyberis.
Who Needs Rep?
Larger organisations often employ reputational filtering of web traffic to defend against delivery of malicious code and the exfiltration of data if a compromise were ever to occur. It's an effective control provided by many next-generation firewalls and web proxies, including newer cloud-based solutions such as Zscaler.
Today's announcement (https://www.krackattacks.com/) of the KRACK attacks against WPA2 represents a serious security concern for all wireless networks. The de facto wireless encryption standard, which has resisted hacking attempts for 14 years, has finally fallen. Both personal and enterprise versions of the protocol are vulnerable.