New blog over at Neohapsis Labs
The fine folks over at Neohapsis Labs appear to have a new blog focused on security related information. Technically, I guess they've had it up since January, but the posts are more frequent now. I just added them to my RSS feeds.
Both Mike Murray and Cris Neckar have posted some interested tidbits ranging from technical topics such as Connect-back shells as well as the non-compliance issues for Web application security.
I also recently noticed that Neohapsis is now a PCI-approved QIRA (Qualified Incident Response Assessor). One of the drawbacks of this program is that it appears that Visa can play the trump card and decide to respond to any incidents without indepdenent third-party review. Imagine if they had the same rules applied to QSA or ASV assessments!
Update (Tue Apr 29 06:15): Craig Smith just posted a new blog entry on Seed Racing: The Art of Exploiting Race Conditions in Random Number Generators, a paper written by himself, Patrick Toomey, and Cris Necker. In the paper, they discuss a common PRNG vulnerability and cite an example in .NET. A quick run-down:
In a localhost experiment Neohapsis sent 67,000 requests to a server with a random password generation routine similar to the one in our example. We only received 208 unique responses from the server. That is approximately 322 duplicate passwords. Again, that is under a rather ideal situation, you probably will not have that many duplicates in a real world scenarioblog comments powered by Disqus