Would you like to try the beta of VoIPPack?

VoIPPack adds VoIP capabilities to Immunity CANVAS. For more information about VoIPPack take a look at the product page. We are currently running a private beta so send us an email to apply as a beta tester.

The following is a taster showing sipautohack scanning a target network, identifying PBX server, enumerating the extensions intelligently and finally cracking the password for each extension on the PBX. More demos here.


(IN)SECURE Magazine and other updates

This is an update of what's been happening on this end:snapshot-2008-12-01-10-16-301

  • Issue 19 of (IN)SECURE Magazine is out, and with it you'll find a report on RSA Europe 2008 and an article called "How security can hurt us" by yours truly. The magazine has a number of high quality articles and is  freely available from the main website.

  • Upcoming research: Vulnerabilities and tools related to Web Application Firewalls. Wendel Guglielmetti Henrique combined his and my research and presented it at H2HC. The presentation was called "Playing with Web Application Firewalls". Additionally, I presented my research at a local ISACA chapter. This research is still in its initial stage but is already showing significant results. Will be putting a separate post on this.

  • The blog at Acunetix now features posts by yours truly on (you guessed it) Web Application Security.

  • If you are based in Malta, then you might be interested in the Malta Infosec linkedin group that will be organizing some informal events "real soon". The blog is at


At RSA Europe 2008 - Talks of interest

Currently at RSA Europe in London and the Keynote is about to start. While we're being given a Discovery Channel styled lecture on Alan Turing, I've been marking the sessions that have a potential of being interesting. Marked the following:

  • Security Remodelling - Benjamin Jun

  • Locking the Back Door: New Backdoor Threats in Application Security by Chris Wysopal

  • A dialogue with ENISA

  • VoIP Threats and Countermeasures by David Endler (conflicts with the talk by Chris Wysopal)

  • Evolving threat landscape: Do we have to trade off browser functionality for security and privacy? Craig Spiezle (Microsoft)

  • Security Testing in Web 2.0 World by Billy Hoffman

  • SQL Smuggling by Avi Douglen

  • Regular expressions as a basis for Security Products are dead by Steve Moyle

  • Blinded by Flash: Widespread security risks flash developers don't see by Prajakta Jagdale

  • Mobile Banking and Identity Theft: Can your phone protect your identity? Patrick Bedwell

Then there's quite a few "special interest groups" that look intriguing as well.

Meanwhile Arthur W. Coviello of RSA is talking about why the way we do security fails, and suggesting a better approach. Talk about Information Risk Management Stategy, and picking on regulations and compliance.

I'll be posting live updates on If any visitors are around, feel free to send me a msg.


Does your software check for updates? You might be in trouble 

Note: this article originally appeared on EnableSecurity Newsletter #0x0001. To subscribe send an email to [email protected].

Most contemporary software attempts to perform automated updates for  one thing or another. Maybe it's a patch for the software itself, or simply a list of additional files that are required for day to day operations. Security software such as Antivirus software needs to be  automatically updated if it wants to protect against the latest threats instantly. Although of these updates do not have any sort of precautions for man in the middle attacks, no one seemed to care until the past few months.

It is only the latest DNS cache poisoning flaw that made researchers and security folks tick and start realizing that the upcoming patch might not be what it seems. Then Evilgrade came out. This software is an exploitation framework which allows penetration testers to demonstrate upgrade related flaws in the following software:

  • Java plugin

  • Winzip

  • Winamp

  • MacOS

  • OpenOffices

  • iTunes

  • Linkedin Toolbar

Meanwhile security advisories keep coming out identifying new software which is vulnerable to this attack:

I'm sure that this is only the tip of the iceberg and there is more to come.

Automated updates can be a life saver, and certain products cannot do without them (like Antivirus software). However (security) updates in particular should not be introducing this kind of security issue!

If you're a software vendor you have a responsibility to make sure that your automated updates are signed and verified in a secure manner

Apple security advisory

The newsletter issued yesterday included an advisory on's insecure storage of S/MIME on the email server. The main problem is that people making use of S/MIME expect encryption to protect them from a snooping mail server, and the default "store drafts on mail server" option does not respect this.

At this stage Apple did not release anything to address this issue because it might require architectural changes. I understand that - however publishing a solution to this issue does not have to consist of a patch. This is why I'm publishing the advisory and the below solutions, so that clients that are concerned about this can mitigate.

If you would like to stick to

  • Go to the Preferences and select the account from the accounts tab

  • Select the "Mailbox behaviors" tab

  • Uncheck the option "Store draft messages on the server"

Otherwise some other email clients are not vulnerable because they encrypt the drafts emails before they are sent to server.