Some readers may remember our Analysis of .git folders in the Alexa Top 1M. WIth our tools we were able to discover and retrieve (hidden) directories and files (even without directory listing). We developed a similar approach of uncovering hidden files again, but this time with the help of .DS_Store files. In this blogpost we will share the methodology, the resulting security implications as well as our results from scanning the Alexa Top 1M and how we could have obtained sensitive files from several websites.
2017 in retroperspective / outlook on 2018
Similar to the last years we are doing a review of our work in 2017 and will try to give a short outlook on our plans for 2018.
Certificate Transparency as a source for subdomains
We have been quite busy this year, but we would like to release a small project nonetheless: Curating a list of subdomains based on certificate transparency logs that we’ll happily share with the community and publish new results every hour.
Looking back on 2016 / Outlook on 2017
It has become tradition to write a short review of the last year and about the plans for the next one.
Analysis of a cryptomining malware or why clicking on folder icons can be dangerous
A while ago we did some research about industrial control systems (ICS) and found a file named “photo.scr” on some of those. We want to share what we’ve learned about this file in this blogpost - in order to make sure that people find out how the malware works and how you can protect yourself from such a threat.
How we pwned your ICS or why you should not put your HMI on the internet
The team of Internetwache.org has researched the security of industrial control systems (ICS) for the past months and we have discovered more than hundred unsecured controls of waterworks, heating stations, parking lots and buildings.
Going to Troopers 2016
Internetwache CTF 2016 review
Penultimate weekend, we hosted our very first jeopardy style capture the flag event: The Internetwache CTF 2016
In this blogpost, we will write about the CTF from the organizer’s perspective. What was the setup? What went wrong? What did we learn? What was good? What can we do better next year? We hope that this insight can help other CTF organizers in the future.
Going to the Security Analyst Summit #TheSAS2016
Recently Tim was invited to visit the Security Analyst Summit of Kaspersky Labs (#TheSAS2016) which took place on Tenerife (Canary Islands) in february this year. In this post he shares his experience and wants to give a short overview of interesting topics (for the security research community).
TL;DR: #TheSAS2016 was a great experience and Tim learned a lot, because every day was filled with adventures or learning and seeing new things! The location was very nice, the atmosphere was amazing, the people were friendly - all in all everything was excellent!
CVE-2016-1926 - XSS in the Greenbone Security Assistant
Recently Tim has been working with the software framework “OpenVAS” (“Open Vulnerability Assessment System”). This software is open source so we spent some evenings looking for bugs in the webfrontend, the Greenbone Security Assistant. After some time Sebastian found two bugs and we were able to submit those - they are fixed now.