Bishop Fox Blog

A space dedicated to sharing our thoughts on the latest cybersecurity news, trends, and threats

Subscribe

Subscribe to Blog via Email

Popular Posts:

How to Engineer Secure Things: Past Mistakes and Future Advice

Things are all the rage right now — more specifically, connected and embedded things. As a result of the increasing demand for connectivity and the decreasing cost of hardware, engineers and developers are pushing computing power and connectivity into everyday things — refrigerators, light bulbs, TVs, cars, and other devices. Companies are under constant pressure to send things out quickly and into the hands of users. Security often becomes an afterthought. To say Internet of Things security is often lacking is an understatement. 

The Triad Triumph: Bishop Fox Remains a Top Place to Work

Bishop Fox has been named by the Arizona Republic as a Top Place to Work in their annual survey - for not the first or second time, no, but the third time in a row. This award is reserved for “companies with commendable workplace practices and which received high scores in terms of employee engagement and satisfaction.” We’re in good company with many household names, and we’re honored to be included among them.

The Power of 'Agile' Security at Dun & Bradstreet


Interview with Jon Rose, Dun & Bradstreet 

In this wide-ranging cybersecurity expert interview, Bishop Fox Partner Vincent Liu chats with the CSO of Dun & Bradstreet, Jon Rose. The two discuss the commercialization of security, the road to becoming a CSO and how agile helped his security team take control of day-to-day activities and better manage priorities.

If You Can't Break Crypto, Break the Client: Recovery of Plaintext iMessage Data

CVE-2016-1764, fixed by Apple in March of 2016, is an application-layer bug that leads to the remote disclosure of all message content and attachments in plaintext by exploiting the OS X Messages client. In contrast to attacking the iMessage protocol, it is a relatively simple bug. You don’t need a graduate degree in mathematics to exploit it, nor does it require advanced knowledge of memory management, shellcode, or ROP chains. All an attacker requires is a basic understanding of JavaScript.

On Apple, Encryption, and Privacy: A Word About Decryption

In February 2016, Apple announced that it would fight the FBI’s court order to break the encryption of the iPhone of one of the San Bernardino attackers. We wrote a blog post on that decision; this is a follow-up to that original piece.

CA Single Sign-On Software Update: Stay Secure

One of our researchers—Mike Brooks, also known as rook—found two high-risk vulnerabilities in the CA Single Sign-On (formerly CA SiteMinder®) application, created by CA Technologies.

On Apple, Encryption, and Privacy

In the wake of news that Apple plans to oppose a federal court order to assist the Justice Department in decrypting data stored on an iPhone belonging to one of the San Bernardino attackers, a broader conversation about encryption, privacy, and law enforcement has begun.

Burp, Collaborate, and Listen: A Pentester Reviews the Latest Burp Suite Addition


Portswigger is back with a brand new invention

The newest addition to the much beloved Burp Suite, Collaborator, allows penetration testers to observe external resource interactions in their targets, especially those triggered through blind injection. It works by hosting an instance that listens for and reports HTTP and DNS requests to the Burp application.

Building a Winning Security Team From the Top Down

In wide-ranging Q&A at the consulting firm offices of Bishop Fox in San Francisco, Dropbox Head of Trust & Security Patrick Heim spoke with consultant Vincent Liu about some serious and not so serious issues facing the security industry today.

Fishing the AWS IP Pool for Dangling Domains

Amazon and other cloud providers have made it child’s play to spin up ephemeral server instances for quick deployment of various services. If you want a web server to host your new .io domain name, you can have it set up in no time at all. Starting a website has never been easier — just spin up an EC2 instance, install your stack, point your domain/subdomain to the instance, and kill it when you’re tired of it.

< 1 ...
3 4 5 6 7
... 8 >