Fighting Back Against SSL Inspection, or How SSL Should Work
ISE security analysts considered the increasing prevalence of SSL inspection on corporate networks, threats to the certificate authority model that could allow SSL inspection to spread to other types of networks in the future, and how built-in browser key generation capabilities could be leveraged to achieve mutual authentication and greatly frustrate, if not prevent, mass-scale, automated SSL inspection.
HTTPS Vulnerabilities
ISE identified 21 (70% of sites tested) financial, healthcare, insurance and utility account sites that failed to forbid browsers from storing cached content on disk, and as a result, after visiting these sites, unencrypted sensitive content is left behind on end-users' machines.
Exploiting SOHO Routers
ISE researchers discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. These vulnerabilities allow a remote attacker to take full control of the router's configuration settings; some allow a local attacker to bypass authentication directly and take control. This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.
Exploiting Android
Analysts at ISE have identified and exploited a security vulnerability in the Android operating system allowing a remote adversary to gain control on the device with the same permissions as the web browser application. A successful attacker will have access to information such as cookies used for accessing sites, information put into web application form fields, and saved passwords, and can alter the way in which the browser works, potentially tricking the user into entering sensitive information.
Exploiting Age of Conan
Security researchers at Independent Security Evaluators uncovered two security vulnerabilities present in the popular new and entertaining online game, Age of Conan, produced by Funcom. These vulnerabilities allow an attacker to read arbitrary files off of a victim's computer, crash the games during online play, and in the case of Anarchy Online, fully compromise a victim's machine giving the attacker full control of the targeted computer.
Exploiting SecondLife
ISE and outside researchers discovered an exploit for Second Life that grants control of one character to a malicious character. This allows the adversary to perform actions that may have real-world consequences such as stealing the in-game currency known as Linden dollars, or controlling the player's machine.
Exploiting the iPhone
ISE security researchers successfully discovered a vulnerability in the iPhone, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker.
Exploiting RFID Immobilizers
The Texas Instruments DST tag is a cryptographically enabled RFID transponder used in several wide-scale systems including vehicle immobilizers and the ExxonMobil SpeedPass system. This page serves as an overview of our successful attacks on DST enabled systems.
Case Studies
Contact us

Copyright 2005-2013 Independent Security Evaluators, LLC. All rights reserved.