Pentesting and IT Security Blog

Our passion for testing and defending infrastructures, applications and companies often leads us to the point where we want to share our thoughts and experience with the world. Here you can read all about our exploits and research and enjoy our posts, from useful howtos, to published CVEs, management strategies, new exciting tools and much more. As a provider of offensive and defensive IT services, we always welcome readers to reach out to us and ask questions or provide feedback, be it about our blog or our services, which include web-application and network penetration tests, system defense and hardening and management consulting, among others.

Importing private CA certificates in Android

date Mon Dec 07, 2015 category How to...
tags Security Encryption Certificate Trust Android

Internal encryption in company networks is important and something that's done relatively easy. By creating your own certificate authority (CA) and signing your server certificates with it, you can establish a centralized point of trust on all your devices, making it much more easy for you to mainta...

SSH public key verification with FingerprintHash

date Tue Nov 17, 2015 category Defense
tags Security Client Howto Access Crypto SSH

Whenever I'm connecting to a new remote server via SSH, I tend to verify the fingerprint to make sure that I'm actually connecting to my own machine. Usually it's not that big a deal as I'm simply comparing two strings, but what if those two strings are created with two different hashing algorithms?...

A First Look at Let's Encrypt Beta

date Mon Nov 16, 2015 category Defense
tags TLS Security Howto SSL

A few days ago, the TLS certificate (SSL is dead, remember?) of my private blog www.hashtagsecurity.com expired without me noticing it, mostly because I paused any activities there to focus on my work here at LastBreach as well as this blog. Since I didn't intend on working on hashtagsecurity.com...

Quick Guide – Hardening Apache2

date Fri Sep 18, 2015 category Defense
tags Security Howto Hardening

This is a quick overview of a secure Apache2 configuration. We won’t be going into Linux hardening, but will focus instead on the basic configuration options of Apache2. The following code boxes show examples of a secure configuration. Please adjust them to your requirements and test each of them be...

Why blocking paste on form fields is bad

date Wed Sep 02, 2015 category Secure Coding
tags Security Bad Practice Password Web Development

I was originally writing another blog post which I will now have to finish later but the recent discussion with @TalkTalkCare has left me little choice, so I wrote this one first instead. I want to address the problem, that a certain untruth doesn’t seem to die no matter how often the topic is bro...