Advisories

Apple’s Mail.app stores your S/MIME encrypted emails in clear text

Synopsis: Apple Mail.app does not store S/MIME encrypted emails securely in the
Drafts directory on server.

Security tools

SIPVicious tool suite

Enables you to audit SIP based VoIP systems. Has the ability to identify SIP phones, PBXs and other entities on the network. It can also find out which extensions are active on a PBX and bruteforce the password for these extensions. You may download the toolset from our google code repository. We also maintain a VOIP Security blog.

• Download here
• Project page
• VoIP Security Blog

Surf Jack Proof of Concept Tool

This tool forces web browsers to reveal their (insecure) cookies for HTTP and HTTPS sites. The demonstration shows how this can be done on Gmail, but the vulnerability affects many online services on the Internet, such as Ebanking and Financial sites.

• Download here
• Project Page
• Demonstration
• Paper

Publications

Hakin9 Magazine

“Storming SIP Security” was an article published in the 02/08 issue of Hakin9. Covers the following:

• Why IP Phone Systems are the new target
• How VoIP systems can be broken into or simply abused for Toll Fraud
• What you can do to prevent this

Download the article
Download the listings.

(IN)SECURE Magazine

At (IN)SECURE Magazine you will find my published column articles:

• The 17th issue of this free magazine featured an article which talks about the Debian OpenSSL vulnerability and how it affects the solutions that we (security professionals) recommend. The article is called “When best intentions go wrong” and the magazine can be downloaded here.
• The 18th issue of Insecuremag featured an article called “Closing a can of worms” which tackles the assumption that network traffic cannot be intercepted or modified during transit. This issue can be downloaded here.