HITCON Taiwan 2016

On the 1-2 December 2016 we had the honor for the first time to sponsor HITCON and visit Taiwan.

Our adventure started in November 30th when Noam and I landed in Taipei and we had half a day to sightseeing and set up our booth at the conference hall.
img_20161130_052027
img_20161130_054254

In the evening we were invited to Team T5 reception, there we saw some old friends and made some new ones. We talked about the the importance of the hacker community and how Beyond Security can support it in this era.
img_20161130_185229

During the HITCON conference we had the opportunity to meet with so many great people, gave them an awesome T-shirts for free, answered their questions and provided them with information about the SSD program and how it can help them to more easily report vulnerabilities and get paid for them.

img_20161130_161939

On the second day, Noam gave his lecture on “Why today’s security researchers cannot just publish vulnerabilities” and explained the problems currently present in the process of reporting vulnerabilities to vendors and why the current bug bounty programs are not offering the solution (the slides will upload soon by HITCON)
img_20161202_112256

img_20161202_112306

We found the whole conference experience to be amazing – it was privilege for us to be able to attend and sponsor HITCON 2016. Especially since it allowed us to be part of the ‘international’ community of security researchers.

One last thing, Noam and Yannay Livneh (a speaker of HITCON) had birthday during HITCON – Happy Birthday guys!

SSD Advisory – Fax.de Information Disclosure

Vulnerability Summary

The following advisory describes an information disclosure found at Fax.de. The vulnerability allowed an unauthenticated user to download other customers’ faxes in the past 24 hours without needing to preform anything more than to visit a directory and download the files found there.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Continue reading SSD Advisory – Fax.de Information Disclosure

SSD Advisory – CakePHP Multiple Vulnerabilities

Vulnerability Description
The following advisory describes two (2) different vulnerabilities. One related to CakePHP framework and the other in a product that uses the CakePHP framework:

  • CakePHP Arbitrary Source Address Spoofing
  • Croogo ACL Bypass

Credit
An independent security researcher Dawid Golunski (https://legalhackers.com/) has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Continue reading SSD Advisory – CakePHP Multiple Vulnerabilities

DefCamp Romania 2016

We recently participated in DefCamp conference Romania. It’s our third time sponsoring this conference (!) and first time to attended.

Because it was the first time participated in person, we also sponsored the CTF competition and of course – we sponsored the flights, conference entry and accommodation to our community security researchers! that attended.

The opening session (November 9th) started with great opening keynote by Noam Rathaus. The lecture drew up his experiences in vulnerability research, Noam lectured about the complexity of the vulnerability report process.

defcamp-2016-picture-1

defcamp-2016-picture-3

After the opening keynote, we welcomed many of you security and vulnerability researchers in our booth at the Hacking Village to answer your questions and provide information about the SSD project and how it can help you to more easily report vulnerabilities and get paid for them.

defcamp-2016-picture-2

On the second day we were given the honor to announce the CTF winning teams and awarded the prizes!

We sponsor the CTF competition with great love – as it is our way to give back to the security researchers community.

We gave the following prizes to these great teams:

  • 1st – scryptos (Japan) – 1500€
  • 2nd – CS16 (Poland) – 1000€
  • 3rd – DCUA (Ukraine) – 500€

defcamp-2016-picture-6

defcamp-2016-picture-7

defcamp-2016-picture-8

defcamp-2016-picture-5

We also conducted two (2) workshops on “Fuzzing” during the conference and gave an interview to DefCamp’s staff which was later posted on their conference web site.

defcamp-2016-picture-4

We found the whole conference experience amazing – which was privilege for us to be able to attend and sponsor DefCamp 2016. Especially since it allowed us to be part of the ‘international’ community of security researchers.