Frank Breedijk

The adversary factor

“Droidcon Berlin 2015 - Tag 2” a CC SA image by droidcon Global (https://www.flickr.com/photos/133733835@N08/18453997082/)
There is one thing that sets aside Security from all other areas of expertise that you find in modern day businesses. No, it isn’t our love for black t-shirts, the infinite amount of Club Mate we seem to be able to digest, or our sticker covered laptops. It is that adversaries are part of the daily routine. Security in that sense is a negative occupation, since you are always securing yourself from somebody.   Even when you compare seemingly similar fields like safety... read more >

IMPORTANT: By reading this article you accept the conclusions ☁ + sourcing - cl / d = t

Image from https://fsfe.org/contribute/spreadtheword.en.html#nocloud CC-BY-SA created by Markus Meier
Lately I have been looking a lot into the risks and security aspects of cloud service. And to be honest, from a security perspective, cloud is not that new. Most of the risks associated with cloud services are actually exactly the same as those related to outsourcing, a subject I’m obviously quite familiar with. In that respect, the Free Software Foundation Europe (https://fsfe.org) is quite right.   Yet, saying that Cloud is just the same as outsourcing would not... read more >

Monkey see, monkey patch…

Way In – A CC NC SA image by Steven Feather (https://www.flickr.com/photos/7317295@N04/25334993474/)
Every now and then there is major new in the world of cryptography, or in this case the world of breaking cryptography. This month a team from CWI (Centrum voor Wiskunde en Informatica) and Google announced that they have created a practical attack, called SHAttered, on the SHA-1 hashing algorithm. What is SHA-1? SHA-1 stands for Secure Hashing Algorithm – 1. As the name suggests it is a hashing algorithm. A hashing algorithm can be used to... read more >

WYSIWYG

Since I’m a fourthly something Dutch guy, the first word processor I started to use after the typewriter was Word Perfect. This is the Word Processor I used in school and wrote my graduate thesis on. One of the “features” of word perfect was, what the Dutch called, the underwater screen. The underwater screen, allowed a user to actually see what special characters Word Perfect was using as an internal representation of the document as it would be formatted... read more >

Information Security: Going full Triangle

JPG-Triangles-and-Circles-Squared a CC NC image BY Lex McKee
Everybody who ever did a formal information security training or searched for information security on Wikipedia[1] is familiar with the information security triangle. The theory of this triangle is that information security is about protecting information against threats to its Confidentiality, Integrity or Availability (often abbreviated with CIA).   Early information security One of the earliest and most famous examples for applied information security is... read more >

Responsible Disclosure a year in review - 2016

It is that time of the year again! The time to worry about loosing the holiday poiunds, but also the time to do our yearly review of our Responsible DIsclosure program. Let's start by killing the suspense, we only sent out two rewards in 2016. Does this mean we did not get any reports in 2016? No, in total over 1000 tickets were created. Over 4/5 of them were either spam, noise (like account confirmation emails and such) and abuse messages for our Atom86 team. We... read more >

Crime, ransomware and defense

Locked computer laptop a CC SA image by Santeri Viinamäki (https://www.flickr.com/photos/145428795@N04/28670641384/)
“I rob banks because that is where the money is”, is a famous quote attributed to (in)famous bank robber Willie Sutton[1]. It is also known as Sutton’s Law. Suttons law still holds true for many things, including modern (cyber)crime. If you want to earn money from your crimes, focus on what people value most.   Ransomware is an example of just this. Criminals target what is most valuable to organisations and individuals, their data or memories.   The... read more >

Phish Bait - The discovery of a massive multi-bank Phishing as a Service platform

A CC ND image by Bankenverband - Bundesverband deutscher Banken
On the 26th of October 2016 the Schuberg Philis CSIRT team received three alerts that started an investigation. During this investigation we discovered an early version of a online phishing site containing over 1200 online banking URLs with matching strings for failed login, please wait and site unavailable. In this story the technical details of the site and the investigation. read more >

Live blog Blogging live from Hack in the Box Amsterdam

Today I will be blogging live from the “Beurs van Berlage” covering the 2015 edition of Hack in the Box (hashtag #HitB2015Ams). Please watch this space as I will attempt to put the blog post up shortly after, or even before the speaker leaves the stage. read more >

Latest postings