Bishop Fox Blog

A space dedicated to sharing our thoughts on the latest cybersecurity news, trends, and threats


Subscribe to Blog via Email

Popular Posts:

Stand Your Cloud #2: Host Server Hardening

In our previous post, we discussed how to minimize security risk and data loss by securing the AWS environment. In this installment of our series, we will continue exploring this subject on the server level and discuss some best practices to follow to help strengthen your infrastructure.

The Active Directory Kill Chain: Is Your Company at Risk?

In May of 2014, Microsoft released Security Bulletin MS14-025. The vulnerability described in this disclosure could allow for the elevation of privilege if Active Directory Group Policy is used to distribute local administrator passwords throughout a domain. In this blog post, we will walk through an entire attack scenario centered around the use (and abuse) of this vulnerability.

ColdFusion Bomb: A Chain Reaction From XSS to RCE

During an audit of ColdFusion 10 and 11’s administration panel, I discovered a reflected, DOM-based cross-site scripting flaw, and in this blog post, I will show you how to leverage that vulnerability to gain remote code execution on the ColdFusion application server.

An Overview of BGP Hijacking

This blog post was authored by Security Associate Zach Julian; you can connect with him on Twitter here.

On the "Brink" of a Robbery

When you think of a safe, you think exactly that: something that is inherently safe (because it protects, you know, money and other valuables). Traditional safes may have hardly been considered “secure,” but their computerized counterparts — so-called smart safes — may be even less secure.

Bishop Fox is Still a Top Place to Work

Well, this feels a little like déjà vu, doesn’t it? Last year, we proudly announced that we were named by CareerBuilder as a Top Place to Work For in Arizona. This year, the same is true once again.

ISO 27018: The Long-Awaited Cloud Privacy Standard

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) released a new privacy standard for public cloud computing environments in August of 2014.

Rethinking & Repackaging iOS Apps: Part 2

In the first part of our series, we looked at how to modify an iOS application binary by inserting load commands to inject custom dynamic libraries. In Part 2, we take this a step further by introducing a toolchain designed to make some of our favorite iOS application hacking tools available on non-jailbroken devices.

Security Should Be Application-Specific

I'm looking for the perfect pants. They’re brown. They’re sturdy. They’re business casual. They have many huge pockets, artfully arranged so that I don’t look like a pack rat even after I stash my stuff in them. They don't cost a fortune. And of course, they fit me perfectly.

Vulnerable by Design: Understanding Server-Side Request Forgery

Sometimes, walls get in the way, and when that happens, we need a door. A door needs a proper lock, or a security vulnerability may result. Server-side request forgery (SSRF) vulnerabilities can manifest in a number of ways, but usually it’s because a door was installed without a lock.

< 1 ...
4 5 6 7 8