tssci security

Archive for Security

Decoding and Tampering Protobuf Serialized Messages in Burp

If you've ever assessed or poked at an application that uses Google Protocol Buffers, you know how painstaking the whole process can be. When you're lucky enough to have a corresponding .proto, crafting messages via generated API's is tedious. When you [...]

web2py: Key as Initialization Vector

It's not uncommon for developers to accidentally (or purposefully) commit passwords or other information supposed to remain secret into revision control. It's also not uncommon to see RSA private keys indexed by Google, and GitHub made it even easier to [...]

Extending Burp with Jython Burp API

Last year, I released the Jython Burp API, a plugin framework to Burp that allows running multiple plugins simultaneously, exposes an interactive Jython console, provides Filter-like functionality, and eases developing plugins at runtime by providing [...]

Pentesting Flex

I've posted an entry over on my employer's blog on Penetrating Intranets through Adobe Flex Applications. I've also released a new tool along with it, called Blazentoo. This tool exploits insecurely configured BlazeDS Proxy Services, potentially allowing [...]

What makes a solid security program?

In my most recent post, I identified the direction and state-of-the-art in application security. We all know of the importance of application security in today's environments. However, finding out where to fit application security policies and programs [...]

Blackhat USA 2009 / Defcon 17

It's that time of year again, where we all come out of hiding and meet in Sin City to cause nothing but trouble. The brave venture out into the scorching hot sun during the day and some even dare tempt the waters at Rehab. The rest of us wait until dark, [...]

Appsec industry trends - looking forward

Recently, it has come to my attention that industry people I respect (and vice versa) have desired me to re-post some comments I've made on other blogs. It's also high-time that we at TS-SCI/Security begin writing again. I can tell you that since March [...]

Virtual appliances for the security professional

Virtual Infrastructure Security Facts The number of virtual servers will rise to more than 1.7 million physical servers by 2010, resulting in 7.9 million logical servers. Virtualized servers will represent 14.6% of all physical servers in 2010 compared [...]

Web application security incident handling

I thought I'd take a moment to post about some web security tools I use pretty often, which help as a security consultant when responding to various web hacking related incidents. These tools have helped me write my own scripts whenever I'm in a jam and [...]

Post to webappsec mailing-list on WAF and pen-test: dead again

There is no doubt in my mind that some very strong experts out there have put WAF or WAF-like technology to good use. However, WAF is dead and dying regardless. I think that very large-installation, Internet-facing web applications require Anti-DDoS [...]

Guests on OWASP Podcast #6

Jim Manico invited Dre and I to join him with Brian Holyfield on this week's OWASP Podcast. Topics of discussion included our thoughts on web application security, WAFs, training, among others. Give it a listen, and tell us what you think. OWASP Podcast [...]

Introducing SSLFail.com

Hey all, I'd like to introduce all of you to a new site Tyler Reguly and I, along with Romain Gaucher and Jay Graver set up last week, SSLFail.com. The site's purpose is to point out the failures in various sites' SSL implementations. We'll be publishing [...]

SANS Top 25 Procurement Language and the OWASP Secure Software Contract Annex

As many of you have probably already heard, SANS, in a combined effort with MITRE released the CWE/SANS Top 25 Most Dangerous Programming Errors. There have been numerous discussions on both the Secure Coding List and Webappsec mailing lists, along with [...]

bruteoptions.py -- Get allowed HTTP Methods for a list of directories

A recent email by Dave Aitel to the Dailydave mailing list on Pen testing web servers was an inspiration to publishing a short, but simple script. I like to keep things simple when I write scripts, taking the Unix philosophy of doing one thing and doing [...]

Writing a web services fuzzer in 5 minutes to SQL injection

This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn't have much time to do the test, so I had a couple advantages, like having network access [...]

Decreasing Security for Perceived Security -- all in the name of compliance

Today I ran into a little setback for an issue I did not foresee. For the past several months, I've been on a PCI remediation project, of which one of my tasks was to implement a web application firewall to address PCI requirement 6.6. Now, for everyone [...]

Looking forward to OWASP EU Summit Portugal

In only a couple weeks, many of the greatest minds in web application security will come together again for OWASP EU Summit in Algarve, Portugal. The Summit is a gathering whose main goal is, besides promoting the exchange of ideas on web application [...]

Don't Tell Mom the World is Gonna End

Today, another vulnerability has been making the headlines, various industry security professionals predicting apocalyspe, genocide and famine along with everything in between. It first started earlier this summer, back when Dan Kaminsky, in a [...]

OWASP NYC AppSec 2008 and NYSec Recap

Living in NYC has its perks, one being that we host the largest OWASP chapter across the world. The NY/NJ Metro chapter put a lot of effort into making sure this last week went smoothly, even with the change of venues at the last minute. I had a lot of [...]

Fun with WiFu and Bluesniffing

This is just going to be a long list of links with rants. I have taken up the duty of disseminating information on the latest in WiFi and Bluetooth penetration-testing for no real reason other than it's on the tip of my tongue. First, we have the [...]

OWASP AppSec NYC 2008 -- Will you be there?

The OWASP AppSec NYC 2008 conference is only a couple days away, with training starting at 9AM on Monday. I will be attending the "Advanced Web Application Testing" training course with Eric Sheridan of Aspect Security. I'm really looking forward to this [...]

Web Application Security Tomorrow

Jeremiah Grossman wrote in the opinion section for Application security in CSO Online magazine about Web Application Security Today -- Are We All Insane? I have an opinion of my own which I would like to share with my readers. Jeremiah spreads FUD -- [...]

Google Chrome first look

The bad: It's a front-end to WebKit much like Safari, with no bells-or-whistles The only add-ons are Web Inspector (from WebKit), Chrome's own Task Manager, and Chrome's own Java Debugger (they could have at least used Drosera which comes with Web [...]

Happy Two-Year Anniversary

Yesterday we celebrated tssci-security.com's two-year anniversary. I started this site on August 23rd, 2006 during my first internship, and oh my, how the time flew by. A lot of good things have come my way -- most as a direct result of this blog. The [...]

Week of War on WAF's: Day 5 -- Final thoughts

Did we learn anything about web application firewall technology this week? I hope so. However, my gut tells me there is an overriding feeling of ambiguity around this technology. People want WAFs, but they don't know why. Organizations everywhere think [...]

Week of War on WAF's: Day 4 -- Closer to the code

[Andre and Marcin]: For today's post, we have a guest blogger, Rohit Sethi. We asked Rohit to do this guest post because we feel that his research, along with co-worker, Nish Bhalla, has been influential at solving some unique application security [...]

Week of War on WAF's: Day 3 -- Language specific

This post comes via WAF thoughts from Christian Matthies's blog circa one year ago. Christian starts out with a bang: [...] it seemed to me that quite a lot of people aren't aware of how effective such solutions in fact are. Basically I agree that [...]

Week of War on WAF's: Day 2 -- A look at the past

Web application experts have been asking WAF vendors the same questions for years with no resolution. It's not about religion for many security professionals -- it's about having a product that works as advertised. My frustration is not unique. I am not [...]

Week of War on WAF's: Day 1 -- Top ten reasons to wait on WAF's

Hello, and welcome to the Week of War on WAF's, the same week that ends whereby PCI-DSS Requirement 6.6 goes into effect as a deadline for many merchants. Today is the first day. So far, Marcin has identified some of the problems with web application [...]

Web application firewalls: A slight change of heart

We've been beating the drum for some time now, expressing our opinions of web application firewalls (WAFs). You might have sided with us on this issue, are against us, or are just tired from it all by now. This post is about to change all that, and show [...]


We all know about the CISSP. You've heard the whispered hallway conversations. You've seen the business cards, the email signatures, and the government contract requirements. You might even know the secret handshake, or have the magical letters attached [...]

Virtualization is a process, not a product

I see that the BlackHat Blogger's Network has a topic of interest. I'll oblige, especially since The Hoff is involved. I think it's a good exercise, so I'll have to thank Shimel for this idea. You also won't want to miss what I've said about [...]

nmaparse.py -- Parsing grepable Nmap output to insert into MySQL

Last week, Richard Bejtlich reviewed "Nmap in the Enterprise," and for the most part, was largely disappointed with it's lack of enterprise context. My last script, tissynbe.py, parsed Nessus results in nbe format and inserted them into a MySQL database. [...]

Accountability through connected frameworks

Apparently Laura Chappell and Mark Curphey were presenting at the Microsoft TecEd 2008 Security Track last week. I haven't heard too much about what happened as a result, and I really wish I was there to see them speak about their respective topics. For [...]

What web application security really is

I wanted to do a post about "what web application security really is" because plenty of people out there don't get it. They understand that "security attacks are moving from hosts to the Web", but they have no idea what that means. To most people, web [...]

Software Security: a retrospective

Today I am going to cover a topic that is the most important to me: software security. When I talk about "software security", I refer to the process of building applications -- the artifacts, components, and capital that goes into making a polished [...]

VBAAC Security and You

My good friend Arshan Dabirsiaghi at Aspect Security released an interesting paper today on Bypassing VBAAC with HTTP Verb Tampering. For those who don't know what VBAAC is, it stands for "Verb-Based Authentication Access Control." Unfortunately, most [...]

tissynbe.py -- Insert Nessus results into MySQL, output as a CSV

I mentioned in previous posts that I had been working with Nessus -- I used it a lot. At the end of the engagement, we had almost a gigabyte of Nessus data saved in nbe format. So to quickly go through and analyze all the results, inserting it into a [...]

Protecting the global Internet routing infrastructure

Arbor Networks has a blog post up today about Using RPKI to Construct Validated IRR Data. Resource PKI (RPKI) is an extension to X.509 to allow for IP address (prefix) and AS identifiers (autonomous system numbers -- the organization-based assigned [...]

Resident scripts and global cross-domain

In October of 2006, a vulnerability in IE7 known as the "mhtml:" Redirection Information Disclosure was discovered. RSnake wrote up a post about how nasty it was. The basics: it took over the entire browser experience. Fortunately, the bug was patched [...]

Lucky for NSM -- Extracting files from TFTP packets in Wireshark

So the other day I get a call from the forensics team at work asking for help with some packet analysis. A client's users had reported phishing activity, so they decided to run a full-content capture using Wireshark on the external and internal network [...]

Another new blog over at NSS Labs

Not to be outdone by Neohapsis Labs, NSS Labs also enters the fray with their blog, Security Product Testing. Again, I think that NSS Labs (like Neohapsis Labs) has been blogging for awhile, but it has picked up more pace lately. In the past, the TS/SCI [...]

An update on Protocol hopping covert channels

At last year's Blackhat US 2007, the dominant discussion was around Joanna Rutkowska and Alex Tereshkin's "New Blue Pill" vs. Peter Ferrie, Nate Lawson, and Tom Ptacek's VT-x Rootkit Detection techniques. This included some follow-up material on the [...]

CERT on Securing your web browser

'Lo and behold, CERT has an excellent document on Securing your web browser! They cover IE, Firefox, and Safari -- three secure references for the three most popular browsers. The documentation and links provided are great. I was actually surprised that [...]

New blog over at Neohapsis Labs

The fine folks over at Neohapsis Labs appear to have a new blog focused on security related information. Technically, I guess they've had it up since January, but the posts are more frequent now. I just added them to my RSS feeds. Both Mike Murray and [...]

How to pwn PWN2OWN

Day one of PWN2OWN was unsuccessful, which is no big surprise. But today, I am really hoping for something -- otherwise we'll have to wait until tomorrow for the third-party clieint-side exploits. Here's a little summary I wrote a bit back on how to [...]

Security and safe browsing for Firefox

You installed Firefox. How do you make it more secure for daily use? How do the Mozilla developers ensure that they are doing all the right things? How do you safely browse the Internet? These are not easy questions to answer, and some of the answers [...]

Security in the SDLC is not just code review

Let's take some time here to discuss what "secure code review" is and what it is not. I see a lot more people talking about code review. Many people have only the view of the PCI DSS compliance standard, which almost pits code review against the web [...]

Firefox 3 first impressions

I've downloaded and used the Firefox 3 beta browser software for the past few months and wanted to give a report on the latest of what works and what doesn't. Note that I had to install Nightly Tester Tools to get many of these to work. I am also now [...]

Day 13: ITSM Vulnerability Assessment techniques

Lesson 13: Just this week, in lessons 12 and 13, we've covered -- at least partially -- how to significantly reduce risk and vulnerability to system and network infrastructure. We touched on protecting applications, but we weren't able to go into [...]

Day 12: ITSM Vulnerability Assessment techniques

Lesson 12: Yesterday, I shamelessly recommended to ditch all commercial networking gear. In the same breath, I also made several Cisco configuration recommendations. This is just the way that I work. The idea is that network appliances increase risk, but [...]

Day 11: ITSM Vulnerability Assessment techniques

Lesson 11: Welcome back! I know that the last few weeks have been a lull, and even before ShmooCon there wasn't a lot going on our security blog. However, you're in for a real treat since I'm back with the daily ITSM Vulnerability Assessment techniques! [...]

Qualities of good pen-testers

Taking care of business Before I get into this post, I wanted to give you some updates on progress of other projects here at TS/SCI Security. First off, I've been working on the OWASP Evaluation and Certification Criteria Project and hope to announce [...]

Implications of The New School

Recently, I finished reading "The New School of Information Security" by Adam Shostack and Andrew Stewart. It's only about 200 pages, so it's certainly worth your time to pick up and read. Some people will compare it to "Security Metrics" by Andrew [...]

Short-term defenses for web applications

Before Mike Rothman posted something about the WhiteHatSec and F5 announcement, I really wasn't going to say anything negative or positive. Integrating web application security scanners with web application firewalls at first seems like a good idea. [...]

OWASP Hartford tomorrow

Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda for [...]

ShmooCon 2008 -- Path X: Explosive Security Testing Tools with XPath

On Sunday, we had some technical difficulties getting my laptop to work with the projector. In a scramble to get things up and running, I forgot to send the backup screenshots I had taken just in case. Ughh.. first conference talk I give, and everything [...]

Back from D.C. -- ShmooCon 2008 recap

We're back from a great weekend in Washington, D.C. at ShmooCon 08'. Dre and I arrived Thursday night just in time for the bar to close and with having no hotel room reserved, we were in for a long night. Interestingly enough though, at around 5am, we [...]

Path X -- Explosive Security Testing

We have received details from ShmooCon with the scheduled day and time of our talk. We have been scheduled for the last talk on Sunday at 12pm noon (before the room split) on the "Build It" track. I'm not sure whether that's a good thing or bad thing, [...]

Hardware VM security: past and present

Marcin and I were talking a bit about mainframe security today. I recalled how fantastic mainframes were while he had his hands in the trenches. Yes, I know that IBM renamed MVS to z/OS (as well as other things) years ago. However, the concepts remain [...]


I often sound like a Linux bigot. Before I was a labeled as a Linux bigot, I was considered a classic FreeBSD bigot (so you would think I like Mac OS X, but I don't). Before everyone tagged me as a FreeBSD bigot, I again gave the impression of being a [...]

Guests on Network Security Podcast

The other night, we had the special privilege of being guests on Martin McKeay's Network Security Podcast with co-host Rich Mogull. While having a great time several weeks ago at SunSec, and several beers into the night, we tricked Mogull into letting us [...]

Blog Announcements

I have one ShmooCon ticket available for $300. Contact me if you are interested. Why do I have one ShmooCon ticket for sale? I bought it in case we didn't get accepted to ShmooCon, but we did! Dre, Tom Stracener of Cenzic (and formerly nCircle), and I [...]

My other phone is your iPhone

Here's a new 2008 security prediction for you -- The iPhone camera is an odd device. There is no notification that a picture is being taken, so the only requirement for malware is to wait for user activity and then start taking pictures. My prediction is [...]

Day 10: ITSM Vulnerability Assessment techniques

Lesson 10:You could say I'm a little late on posting something. However, we've been up to a lot of great research, hopefully much of which we'll publish here over the next few weeks. We had a few posts lately, some of with a change of heart. The latest [...]

Baby steps with web application security scanners

Web application security scanners have not matured much. I guess patent wars and company-buyouts have caused a lot of stagnation over the past year. However, I think the problems may run deeper than just controversy and industry drama. AppScan DE and [...]

Day 9: ITSM Vulnerability Assessment techniques

Lesson 9:Yesterday was a bit of a whirlwind, discussing BGP, Whois/RWhois, and the DOM all in one big post. I'll try and keep it short and sweet today. Arshan Dabirsiaghi (leader of the OWASP Anti-Samy Project), commented on yesterday's post regarding [...]

Day 8: ITSM Vulnerability Assessment techniques

Lesson 8:Two days ago we covered VoIP assessments, and yesterday we covered Intranets and the use of proxies. Most of last week also covered internal network infrastructure assessments, except for some topics such as PDA phones and WiFi devices. Today I [...]

Day 7: ITSM Vulnerability Assessment techniques

Lesson 7: Today I wanted to bring the real meaning behind these techniques into the spotlight. Learning about how IT groups do real security is only part of this. I'm also talking about what I've seen that IT security shops don't do. What [...]

Day 6: ITSM Vulnerability Assessment techniques

Lesson 6: Last week was great as I started out talking about a variety of topics including -- Day 1 -- Physical network segmentation / Browser tools Day 2 -- Kernel protection in network drivers / Crawling tools Day 3 -- Sandboxing / HTTP tools Day 4 -- [...]

Day 5: ITSM Vulnerability Assessment techniques

Lesson 5:After the first week, many of these assessment techniques don't all fit together or seem congruent. Mid next-week, I think a lot of these pieces will start to come together to form a big picture. The recommendations I've given so far are not [...]

SunSec Trip Report

Last night Rich Mogull of Securosis, and co-host of Network Security Podcast, hosted SunSec (which was on hiatus for far too long) at the Furio in Scottsdale. It was a great turnout last night -- about twenty people had shown up and talked up all kinds [...]

Day 4: ITSM Vulnerability Assessment techniques

Lesson 4: We've touched on some of the critical-path ways to assess and protect your infrastructure including network segmentation and OS/application sandboxing. Often, the weakest area of technology is what you can't segment or sandbox effectively, [...]

Day 3: ITSM Vulnerability Assessment techniques

Lesson 3: After the first few days, we've covered securing WiFi, as well as basic software assurance tools to get you started with a web browser and crawler. This is just the beginning. Part 1: Information assurance vulnerability assessment — Sandboxing [...]

Day 2: ITSM Vulnerability Assessment techniques

Lesson 2: We hope that you are enjoying the format of these, as well as the content. Yesterday, I talked about how rogue AP's/clients can be scanned for without adding infrastructure or spending active time walking around the office. I also introduced [...]

Day 1: ITSM Vulnerability Assessment techniques

Lesson 1:These techniques are in two-parts, 1) Information assurance strategies, and 2) Software assurance tools. My feeling is that vulnerability assessments are typically done less strategically/operationally in IT environments (relying too much on [...]

Testing for randomness and predictability using Burp Sequencer

Sorry I haven't posted in forever. Dre's been covering for me while I've been super busy with finishing up school, reading, work, and other projects. I think Dre's packed more information in the last month than I did all year. 2007 Security Testing Tools [...]

Spread the OWASP Holiday Cheer

Linux.com is running a feature article on Building Secure Web Applications with OWASP. We're trying to Slashdot it, so everybody who reads this -- go and do that right now! The article is good and features quotes from Josh Sweeney of SecurityDistro.com. [...]

Cross-site scripts are the cockroaches of the Internet

I made an epic post to the LSO forums a few minutes ago. I felt the need to re-post a portion of it here. While meeting Joe earlier this evening, who is one of the founders of LearnSecurityOnline, I was inspired to think and write about XSS and a variety [...]

Ajax Security opens up a whole new can of worms

*Update on the TS/SCI Security Blog* First of all, I would like to announce that I will be retiring the long, diluted threads that have recently appeared on the TS/SCI Security Blog. This is the last of the "longer" threads I've been saving up for our [...]

Collaborative systems and Ajax/RIA security

Office collaboration services look like 1985 Microsoft Outlook and Exchange server have been the staple for office collaboration for over 10 years, with a model that has been around since Novell and Lotus in the mid-80's. Collaboration services are [...]

Building a security plan

An audit framework for evaluating structured security program frameworks How many readers implemented a new security plan for 2006 or 2007? How many had clients that implemented a new security program? Which frameworks were involved? Possible frameworks [...]

Simultaenous use of Firefox profiles to guard against CSRF attacks

Here's a quick post to decrease your exposure to attacks against web application vulnerabilities. A couple months ago, I posted an article that detailed 8 Firefox extensions for safer browsing. In addition to the extensions listed in that post, I use [...]

Client-side attacks: protecting the most vulnerable

Chris Hoff published his 2008 Security Predictions, which offer a very dim future for the security industry. His first attack vector is regarding the virtualization hypervisor attacks. Didn't Ptacek prove that this vector is useless? I'm starting to see [...]

Why crawling doesn't matter

This post isn't intended to be a retort to Jeremiah Grossman's post last month on Why crawling matters, but more of a follow-up post to my latest blog entry on Why pen-testing doesn't matter. Hint: both pen-testing and crawling are still [...]

Why pen-testing doesn't matter

Pen-testing is an art, not a science Penetration-testing is the art of finding vulnerabilities in software. But what kind of an "art" is it? Is there any science to it? Is pen-testing the "only" way or the "best" way to find vulnerabilities in software? [...]

2007 Security Testing tools in review

In my last post, I explored some ways of using formal method tools to perform security testing in the most advanced scenarios. It may have been over the heads of many people, so I wanted to offset that by talking to some basic tools which I think anyone [...]

Formal Methods and Security

Most information security practices, whether system, network, application, software, or data -- come from original sources such as the Orange Book. Most people assume that the Orange Book is no longer valid for use in security today. If we had built [...]

Contributing towards a solution

Roger Halbheer, Chief Security Advisor for Microsoft Europe, Middle East, and Africa posted a comment last week in response to my post on "Operating Systems are only as secure as the idiot using it." Roger is looking for some open discussion on improving [...]

Blacklisting, XSS filter evasion and other resources

So the other day I was doing a web site review and looking for XSS issues. I came across one ASP form that used various URL parameters to make up parts of the form. Well, I poked around and and tried injecting the usual, <script>alert('xss')</script>. [...]

Operating systems aren't any more secure than the idiot using it

So this week, we've had a roundup of posts on Apple's latest OS X release, Leopard, and the security "features" that went into it, where they fall short, and what's missing. Thomas Ptacek has a great post over at Matasano with even more insightful [...]

ToorCon 9 - Day 2

This is the second blog post covering Sunday's talks at ToorCon 9. You can read the first installment here. After a hard night of partying, I didn't want to get out of bed early in the morning. Gotta give props to Hikari for foreseeing this and not [...]

ToorCon 9 - Day 0 and 1

This weekend I was in San Diego, California for ToorCon 9 and had an absolute blast. On Friday, I had checked out the USS Midway Aircraft Carrier Museum and enjoyed listening to veterans recount fascinating experiences on the ship during the war. I took [...]

Scraping the web for fun and profit

Crawling and scraping rarely get discussed in a security context because everyone is too busy creating cute mashups and messaging their MySpace friends. I recently read Webbots, Spiders, and Screen Scrapers from NoStarch Press. The author uses PHP-CURL [...]

ToorCon 9: San Diego -- Eats, Treats, Tricks and Drinks

Several of us are going to ToorCon 9 this weekend in San Diego, California. I'm flying out tomorrow (Friday) morning and I plan on visiting some sites around town, such as The Aircraft Carrier/USS Midway Museum and then head up to Little Italy in the [...]

More on Google Analytics: Now with Stolen Search Queries!

In my earlier article on Using Google Analytics to Subvert Privacy, I demonstrated how dangerous free tools could be to match privacy information to web clicks. But now that Google has updated their Analytics service to support internal search queries, [...]

Way to go Arnold -- why AB 779 was a lose-lose situation for small business

A lot of commotion has recently been stirred up around California Governer's, Arnold Schwarzennegar's recent vetoing of a bill (AB 779) that would strictly mandate all merchants to comply with. Many have scoffed at the Governer's "caving to lobbyists and [...]

xckd and exploits of a mom

Been busy the past couple days, just started work again and haven't gotten around to posting. I promise though, there'll be stuff coming up soon. In the mean time, enjoy latest comic from xkcd: Exploits of a Mom |exploits_of_a_mom.png|

What do you mean threat?

This is in reply to Richard Bejtlich's post, "Someone Please Explain Threats to Microsoft." Richard takes issue with people (especially those who should know better) who misuse defined terms. We say a lot of things with the expectations of those who are [...]

PCI DSS questions left unanswered

Chris Eng of Veracode, attended the first PCI Community Meeting in Toronto, an organized panel that brings QSAs, ASVs and those subject to PCI together with the PCI DSS council, and lives toblog about it. Several days ago, I posted some thoughts on the [...]

New Uninformed Journal - Vol 8

Get it here. Papers include: Real-time Steganography with RTP PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Getting out of Jail: Escaping Internet Explorer Protected Mode OS X Kernel-mode Exploitation in a Weekend A Catalog of Windows [...]

More on Ambiguous Security Standards

When I finished reading through PCI DSS v1.1 the other night (for like the fifth time), several requirements continue to jump out at me. To understand the PCI requirements, we first need to understand what is subject to PCI. From the standard, PCI DSS [...]

Tweaking kernel parameters using sysctl

Over the last few years I have been finding ways to tweak my FreeBSD systems for better security and performance. One of the techniques that I used most often was tweaking kernel parameters using sysctl. As you may have known from previous posts I am now [...]

Using Google Analytics to subvert privacy

Marcin decided to take the day off with pay and allow me to share with you a guest blog post. Thanks, Marcin! Hello, my name is Andre and I'm a blogoholic. On with the post! With the popularity of MySpace also came the desire to track others who look at [...]

Enable password for single-user mode (OS X)

Single-user mode by default is available on OS X without a password. This is not a desirable system behavior and to remedy this, all that is needed are a few simple commands. To enable a higher level of security we can set an "Open Firmware Password". On [...]

Buying best of breed versus bundled services

We try and secure our data, our systems, and people as best we can. We spend months evaluating and deploying firewalls, IDS, IPS, NAC, A/V, A/S, anti-spam, proxies, VPN, etc. Hopefully, you create matrices of each product you consider purchasing based on [...]

Hit and run pentesters -- the cycle repeats

I just read an excellent post by Mark Curphey on "The types of testing," part 2 in his 5 part series on "The Art of Scoping Application Security Reviews." Dre responded with some good commentary almost as long as the original post. One quote towards the [...]

HBR case study on data breaches

Boss, I Think Someone Stole Our Customer Data The way Hoff puts it, sounds all too familiar. I can't count the number of times I've heard people talk about their systems and believe they're as secure as can be because they did one, some, or all of the [...]

Articles in my "toread" list

I've been backlogged lately, mostly due to taking a trip up to Lake Winnipesaukee, NH, getting a BlackBerry 8800, and my birthday. I've added a whole bunch of articles to my "toread" list, which I hope to get to soon and comment on. Computer security [...]

Immaterial Transfers with Material Consequences

Last year, a colleague pointed me to an article by Roland L. Trope in September/October 2006 IEEE Security & Privacy, Immaterial Transfers with Material Consequences. From the abstract: The need for such regulations is clear, but many firms underestimate [...]

8 Firefox extensions towards safer browsing

Web 2.0 has (re)introduced a wide variety of attack vectors that can be used against Internet users to steal sensitive information, control the web browser, and more. The security industry has seen a shift from concentrating on the servers that house [...]

Desert Code Camp

For those living in Phoenix, Desert Code Camp is upon us. All morning and afternoon on Saturday, September 15 will be full of sessions that are all about code. My friend Adam Muntner (founder of QuietMove and contributor to Security Catalyst) will be [...]

Security Tools for OS X -- DenyThumbDrives

The other day I posted about a problem regarding the default behavior under OS X, which ignores permissions for mounted firewire drives. I decided to look for a solution to this rather than relying on administrators to set the proper option. What I [...]

Insecure Permissions on Firewire Hard Disks - OS X

When you mount a firewire hard disk under OS X it will mount with the 'Ignore ownership on this volume' option set. What this means is that owner information and file permissions will be ignored. Apple does this so that you can share a disk across [...]

Security Tools for OS X -- QuickPass

I am an avid OS X user and will be posting tools and security information regarding OS X regularly. I often need to create secure passwords that are easy to remember and today I found the perfect tool for doing this. It's called QuickPass and it's a [...]

Greasemonkey script to block Gmail cookie-theft attacks

Ryan Naraine of ZDNet points out a Greasemonkey script that blocks Gmail cookie-theft attacks. The script can be downloaded here, and it redirects Gmail to use a "secure" HTTPS connection. You can modify the script to @include redirect any site that has [...]


DEFCON15 is this Friday and I'll be in Vegas Thursday night. I'll be without Internet access this weekend, but I'll try and post something up for Sunday. If anybody wants to meet up, send me an email. Gonna be a good weekend. Some of the talks I'm [...]

Preventing and Detecting Sensitive Data on P2P Networks

Recently, we've heard a lot of talk about P2P apps and data leakage concerning various members of Congress. It started with this article over at NetworkWorld, followed up by the guys at nCircle, directing criticism towards Congree from Techdirt, comments [...]

Interview with Richard Bejtlich -- GE Director of Incident Response

Back in May, I attended a meeting to get a feel for the company and group I would be working for this summer as an IT Security Intern. Much to my surprise, Richard Bejtlich was in attendance and as it turned out we'd be working for the same company. [...]

Firefox + httpOnly? While we're at it...

kuza55 noted this morning that Firefox has implemented support for httpOnly cookies. It's not perfect, as ma1 pointed out in the comments, but it's better than nothing. The Firefox browser could be made even more secure by building NoScript, [...]

Idiocy in Kernel Land

C'mon guys, what in the hell are you releasing a .1 for just to fix four lines of code. I realize that an exploit in netfilter could be a serious issue, but netfilter doesn't belong in the kernel to begin with; it should be userland code. Grrrr. This is [...]

Scan hostnames efficiently with Nmap

So your DNS team sends you the company's entire domain name inventory in a CSV (comma-separated values) file. You're tasked with port scanning those hosts, to perform a network inventory, discover rogue services and other policy violations. It's simple [...]

Pondering over the iPhone

|thumb_img_2472.jpg|I passed up a chance to get an iPhone last week because I couldn't spare the time to wait in line for it. I was headed to New Hampshire to stay up at Lake Winnipesaukee with some friends and watch the NASCAR Modified, Busch, and [...]

Suggested reading this week

I've been real busy lately, but I came across several blogs and articles this week that I'd like to share, Andrew Hay style. =) CEO Crime & Punishment -- Ben Horowitz, CEO of Opsware Inc., shares his thoughts on what entices executives to commit white [...]

Got pwned today

Several people in the corporate IT security group where I'm interning this summer have been working hard on creating a program to educate users on the company's acceptable use policies and some basic security awareness. They've done a great job and the [...]

Mother of all security feeds

Using Yahoo! Pipes, I tied in over 100 different security blogs into a single feed, sorted by newest on top, and encompasses all areas of security. When I have some more time I'll add security news sites like DarkReading, SecurityFocus, etc. I know Mark [...]

Compromising one app through another

I was directed through RSnake's blog to a XSS defect in Yahoo! Services and had a couple questions concerning secure design of web applications... So here's the scenario, A user is authenticated by a device between himself and the application he's [...]

Bust through HTTP Proxies

I came across a neat little command that will allow you to SSH through an http-proxy. Useful for when you're at a library or elsewhere and need to make an outbound SSH connection and the only thing stopping you is a proxy. Features of connect.c are: [...]

Hacking Techniques for Law Enforcement - A good idea or asking for trouble?

Mikko @ F-Secure made a post on their blog about whether or not law enforcement organizations should be permitted to utilize security tools and hacking techniques in investigations that got me thinking. To me the answer to this question is very clear -- [...]

What makes a security project fail?

I started working on a project that has no doubt, been done before. It's something no one has publicly posted information on and it's not new -- something everybody wants yet every vendor says is impossible. The problem with this project, is it can't be [...]

Disable Firefox automatic updates

Christopher Soghoian has an excellent remote vulnerability disclosurereport concerning Firefox Add-ons. More than several extensions from various 3rd parties are vulnerable to man-in-the-middle attacks. Q: Who is at risk? A: Anyone who has installed the [...]

Dell + Google Toolbar... profit??!?!

Andrew Hay writes: Dell & Google Secretly Installing Software to Make Money Off Your Typos Those bastards, how is this business practice not illegal? New Dell machines that include the Google toolbar as part of a marketing agreement also include a secret [...]

Guaging interest, CitySec -- Hartford, CT

Is anyone in the Hartford, Connecticut area between Boston and Manhattan interested in a CitySec meetup? I'm gauging interest for those located between the two cities (like myself). Anybody care to share a trip report for BeanSec or NYSec meetings?

Protecting data in use

Last week, I blogged about data classification and how it's difficult for many organizations to gain control of. The next day SearchSecurity published Data classification is first step in successful data protection, an article that addresses the need to [...]

Vulnerabilities of low probability bring about devestating impact

(Continued from Consumerization of IT and state of the security industry and a reply to Low probability but a devestating impact.) After lunch, we broke up into several groups and I headed to the discussion on "next generation threat analysis," which [...]

Consumerization of IT and state of the security industry

Yesterday was a bit of a surprise for me, I met someone I never would have expected to meet and be an actual co-worker too. There were several talks today, focusing on the "consumerization" of IT, the state of the security industry from a Wall Street [...]

Low probability but a devestating impact

I've been too busy to blog this week and haven't had any ideas for any new topics. Tomorrow (Wednesday and Thursday) I'll be attending my company's internal security "conference" to discuss the issues and projects IT Security faces. I'm interning at this [...]

We really wouldn't need a security industry

if everybody was honest with themselves and others. If people didn't break into other people's houses, bank accounts, commit acts that are criminal and deprive (or take advantage of) others' rights, we wouldn't need security. Remember the days you could [...]

20 years old and [in] security (part 1)

A thread that has gotten some attention and even sparked some bloggers to tag each other with their own stories, I thought I'd post my own "how I got started." I'm twenty years old and my area of study since I graduated high school has been network [...]

How to Be a Security Idiot

So, I was wading through all the garbage on digg today and came across Jim Rapoza's 12 Ways to Be a Security Idiot. It got me thinking about all of the dumb and insecure practices that I saw while I was working for the City of Tempe here in Arizona. [...]

CSUM Ratings

Good stuff. I just find it hilarious when people watch CSI or all these other movies and think hacking or recovering data off a hard drive is so flashy and cool. Or better yet, completely retarded. It's a UNIX system! I know this! Cookie to the first [...]

Security Internships

In a month, I begin a new internship for a Fortune 100 company. Having already spoken with a member of the security team, I can expect to be placed in one of four areas in IT security, including web application security and forensics/incident response. I [...]

My first hack

My first hack that I remember, was in sixth grade (1996 or so??). We had a lab full of Macintosh computers, which I had no clue about or anything at the time, other than we logged into them and had a folder for our documents and another folder containing [...]

Technobabylon hacked??

So I hit up the Security Bloggers Network and what do I see? A post on Technobabylon with a bunch of penises (sp?) some Indian dude with a Swastika shirt, and a whole slew of personal infromation.. Someone doesn't like Ross Brown or eEye Digital [...]

What's your favorite RE tool?

I'm looking for suggestions on any tools to reverse engineer programs for Windows based systems. I have the *nix and BSD bases covered; I'm just lacking a good, Windows toolkit. Particularly, tools to analyze memory, disassemble, debug, etc... I've heard [...]

Hacking pricey FPGAs

h1kari, not long ago at ShmooCon 2007, presented (*.mp4) his custom Field-programmable gate array optimized for cracking WEP and WPA encryption. It performed in some cases over 400% faster than a Pentium 4 or Athlon64. The reason why the chip performs so [...]

F-Secure's Question of the day

From F-Secure Weblog : News from the Lab, (spoiler: answer below) Question of the day: How come you get over 160,000 hits when you search Google for "d41d8cd98f00b204e9800998ecf8427e"? Pretty much the same thing for [...]

Hilarious, I'll never drink that much again!

And the post of the day goes to Mike Rothman, and his comments on Javelin's research survey that claims 77% of 2750 consumers said they would not shop at stores that suffered data breaches. I think this number is crap. Why? The analogy I'll use is [...]

We share your pain

A funny slide taken from Windows WSYP Project: Security is (or will be) your job. Security is your life. You are security for your org. If you wanna be good, there are things you have gotta know-- How to say "I don't know" How to say "That's not allowed" [...]

Kismet, ipw2200, and wireless injection

To get Kismet to run under the ipw2200 driver, simply edit /etc/kismet/kismet.conf. Here is the diff -u output: --- kismet.conf.orig    2007-04-03 13:51:29.000000000 -0700 +++ kismet.conf 2007-04-03 13:53:55.000000000 -0700 @@ -7,10 +7,10 @@ [...]

ShmooCon Video Reviews

LonerVamp has been watching ShmooCon videos all day long and has posted his thoughts on several of them. My favorite talks (that have been uploaded) from ShmooCon are the following: A Hacker Looks at 50 Extend Your Code into the Real World No-Tech [...]

ShmooCon 2007 Videos

ShmooCon 2007 videos are up. Check out http://www.shmoocon.org/2007/videos/.

What's the big deal about WEP??

Andy IT Guy writes, "I think we need to focus on in not how to crack what is already broken but how can we protect what is using it. I'd love to see WEP go away but it won't happen anytime soon." Andy hits the nail right on the head with this one. A lot [...]

What is my favorite movie?!!

I asked a colleague once how to answer those silly questions, you know, the ones banks and other sites like to use to reset passwords? They're used to verify you are, who you say you "were." Well, my bank at the start of the year had introduced some [...]

Considerations for Export Control Compliance

Expanding on my previous blog post regarding export control and how it is defined, there are several other factors to take into consideration to help ensure compliance. Record Keeping All export records must be kept for five years after license [...]

Thinking of Exporting Classified Material? Think Again

ITT was fined $100 million for illegally exporting classified technical data relating to night vision equipment overseas. In addition to being fined, they must "invest $50 million over five years to accelerate development of night vision technology, and [...]

It takes a thief

I was watching an episode of It Takes a Thief on the Discovery Channel the other day that featured two skateboard shop owners. The hosts had scouted the shop a day before, looking for video cameras and other security equipment. The next day, they return [...]

Disable wireless on bootup

While at ShmooCon, I saw a fair share of rogue ap's pretending to be shmoocon ap's. We worked to pull down these access points, but you can never be sure. To help keep yourself from getting pwned, disable wireless upon startup by commenting out your [...]

Weaponizing Noam Chomsky

I wanted to ask Dan Kaminsky, who btw is a brilliant presenter (more below), about doing grammar and writing style analysis to determine who wrote a paper. I can see the techniques as potentially having forensic uses. Don't ask me what his talk was [...]

ShmooCon 2007 - Lab Day 1

We got our NOC up and running. Critical services have been set up for the most part, and we'll be doing some tuning today. Not new to us all, things don't always work the way you want, so that's what we're currently going through today. To anyone here at [...]

Phoenix catalyst meetup, ShmooCon

Tonight I had a great time hanging out with Michael Santarcangelo of Security Catalyst, Andre Gironda, Erich Newell and Adam Muntner. There were a bunch of other guys (and Grace!) there, but I apologize for not remembering your names. It was fun talking [...]

Incompetent blurring

While chatting in #snort-gui today, somebody noticed Gizmodo was showing off their ticket to Apple NAB. You can see they blurred the Name, Company and barcode on the ticket. Whoever did this, did a poor job because they didn't blur the name on the [...]

Are we taking vulnerabilities less seriously?

The OpenBSD IPv6 Remote DoS vulnerability has striked debate and strong reaction on whether denial-of-service is a security vulnerability or not. Let's go back to the fundamentals we all learned early on: C-I-A, Confidentiality, Integrity and [...]

phx-owasp recap

Last night I attended my first Phoenix-OWASP meeting hosted at UAT. There were around 30 people in attendance from all backgrounds, including independent researchers, government agencies, private sector, and academia. Andre Gironda had a cool [...]

VERT Challenge #1 Progress

The folks at nCircle Blog have posted a VERT Challenge, and hopefully more to come. You can check out the details at their blog, but I'll be posting my progress here and we'll see how far I can get before I either a.) give up, or b.) someone else gets [...]

OWASP-Phoenix Chapter Meeting

From the Owasp-phoenix mailing list: This month we have an exciting technical talk discussing the Same-Origin Policy and attacks that attempt to break/circumvent these controls by security researcher Andre Gironda. The details of this month's meeting are [...]

ShmooCon getting nearer

The list of speakers and schedule for ShmooCon has been posted. A lot of interesting topics to check out, it's so hard to choose. My friend Ryan Clarke is speaking on "Extend your Code into the Real World," a look at electronics and hardware hacking. [...]

Vista cracked for real, no hoax

If you haven't heard, a keygen was released that brute-forced the correct CD key for Windows Vista. Martin McKeay did the math and let's just say, it'll take a really long time for anybody to brute force a key with available processing power we have [...]

Infosec pros aren't afraid to cry wolf

Look left when everyone looks right and say no when everyone says yes. Then, ask why? You're in the position as a security professional to tell the bosses no; that's what you're paid for. Don't be afraid to cry wolf when something is out of the ordinary, [...]

Tools are only an abstraction, use the right one

Do tools make us dumber? I don't agree with the idea exactly, as they are just that, tools. Tools are just another level of abstraction from thinking at a lower level. It's what distinguishes an engineer from a kit builder. Who here wants to program in [...]

Mike Murray on building a sustainable security career

Hey Mike, thanks for posting your presentation (Building a Sustainable Security Career) you gave to ISSA-NH the other day. I found it interesting, since "your father's 6 fundamental assumptions about work" were the same I had for quite a while. You can [...]

What is an Insider Threat?

Several of us have been discussing in a thread at the Security Calayst Community Forums, and we all have differing opinions on what constitutes an "insider threat." In my opinion an insider threat is a party who has the capability and intention of [...]

NIST SP800-94 -- Final Guide to (IDPS)

`SP 800-94 <http://csrc.nist.gov/publications/nistpubs/#sp800-94>`_, *Guide to Intrusion Detection and Prevention Systems (IDPS)*, seeks to assist organizations in understanding intrusion detection system and intrusion prevention system technologies and [...]

Comment Spam

Spam sucks. Why do spammers have to ruin every communication medium out there? Postal mail, email, popups, malware/spyware, and now comment spam. LonerVamp over at terminal23 has noticed an increase in spam on his blog as well. I had used Akismet to help [...]

(IN)SECURE Feb 2007 Out

It's out, Issue 1.10. Microsoft Windows Vista: significant security improvement? Review: GFI Endpoint Security 3 Interview with Edward Gibson, Chief Security Advisor at Microsoft UK Top 10 spyware of 2006 The spam problem and open source filtering [...]

SCALE this weekend

I'm heading out to Los Angelos for the 5th Annual Southern California Linux Expo. I'll try and post inbetween sessions (that is... whenever I can). I'll be attending these talks: Leveraging the IT Community (This talk is focused on a building a new broad [...]

New Mac vs PC commercial... Vista UAC

Pretty funny: http://www.youtube.com/watch?v=X4FF_aT_mE8

Linux 2.6.20 kernel relocatable on x86

Linus released kernel v2.6.20 (tar.bz2) to the public today, adding virtualization support through KVM and relocatable kernel support for x86, among other changes. The latter feature is an interesting one from a security perspective and for kdump users. [...]

Hosting dropped out, update your links

Hey everyone. Earlier today my hosting had expired and I had to migrate to new host. Update your bookmarks to account for the changes. The new URL address of my blog is www.tssci-security.com. Thankfully, most of you who subscribe via RSS shouldn't have [...]

February: Month of No Bugs - MOAB a dud

RMogull called it, February is Month of No Bugs. L.M.H. signs off from Month of Apple Bugs... let's see who else will bother keeping up with the vulnerability a day, every day momentum.

No, the floppy disk is not dead

My staging servers cannot boot from CD-ROM, therefore I use a boot disk. For this reason alone, I have floppy drives in all my systems. I also save time by booting from floppy disk and installing operating systems over the network. A tip for anyone who's [...]

Scope your efforts

When contracted to perform a network security evaluation or penetration test, one of the most important stages is the pre-evaluation phase. During this phase, you develop contacts and gather information about the company. It's important to determine the [...]

SCALE: SoCal Linux Expo

Literally right after RSA, SCALE is happening February 10th and 11th. I plan on making the drive out with several other friends from school. The presentations I'm looking forward to: New & Improved: How a More Modern IT Security Model Can Better Protect [...]

A.. A... A... Availability!!!

Guy Kawasaki has a very interesting blog and today posted "The top 10 stupid ways to hinder market adoption." Supporting only Windows Internet Explorer. What Guy fails to mention, is having a website that's always available to its users. Supporting only [...]

TJX security breach.. check

I am not 100% positive or if this just merely coincidence, but I have a feeling my sister has fallen victim to the TJX security breach reported last week. Fraudulent transactions originating in France (of all places) began January 10th, comprosing four [...]

Keep track of your SUID/SGID programs

Part of any monitoring and intrusion detection strategy should include file integrity checking and regularly auditing programs capable of privilege escalation. These programs are often replaced or modified by intruders, creating processes or performing [...]

What does your father's middle name, first car, and high school mascot all have in common?

My bank recently upgraded it's architecture and web site, adding more features and "improved security." After logging in, I am directed to a page greeting me asking to update my account information and "security challenge questions." The drop-down menu [...]

Security Awareness Poster..

I made this poster back a couple years ago, telling users to think before they click. It shows a mouse pointer and "Format C:\" button with a red circle and a slash through it. (edit: click here for the *nix version) If anyone has some other sayings for [...]

The Security Journal - Winter 2007

My good friends over at Security Horizon have released the Winter 2007 issue of The Security Journal. Stories covered include: Fire up your Fox:a Browser Platform for Security Testing How I Cut Our Spam by 90% Risk Assessment with NIST SP 800-30 Book [...]

Storm-Worm and F-Secure WorldMap

F-Secure has a replay of their WorldMap from last night, 01/19/2007. It shows the spread of Storm-Worm Small.DAM, an e-mail worm and it's really, really cool. I want one! (not the worm of course, :P ) The video is also available on YouTube.

Thoughts on IEM Day 1

I was tired today.. maybe it was the material, or the fact that I had to break my college routine and wake up early in the morning... but I was beat. Regarding the IEM, the material could be a little better. Some of the tools that were mentioned are not [...]

NSA IEM: INFOSEC Evaluation Methodology

This semester, I am taking the IEM as part of a class that will be assigned to evaluate my university's network security. Last semester, I was a team leader in an IAM, an assessment of my school's organizational information security. The IAM is two full [...]

New Uninformed Journal out

Volume 6 of the Uninformed Journal is out. This issue contains the following: Engineering in Reverse Subverting PatchGuard Version 2 Locreate: An Anagram for Relocate Exploitation Technology Exploiting 802.11 Wireless Driver Vulnerabilities on Windows [...]

New Wordpress exploit, version 2.0.6

To anyone who has `register_global` turned on for PHP versions 4 thru 4.4.3,< 5.1.4, update your Wordpress; 2.0.7RC1 is available. The exploit takes advantage of code flaws in wp-trackback.php.... again, allowing a SQL injection admin hash disclosure. [...]

Pandemic Influenza, Business Continuity Planning and You

Today Congress will ask the President for an update on National Strategy for Pandemic Influenza. This reminded me of an article I read in the December 2006 issue (pp 36-43) of Information Security Magazine. One of the feature stories, Don't Wait for [...]

InformationWeek, the site who thinks its readers are dumb

Thank you very much InformationWeek! I was reading an IW article, Adobe Patches Acrobat And Reader XSS Bug, 3 Other Flaws, hoping to get some useful information from it. The article contains 15 links, two of which are other IW articles and three direct [...]

This is horrible, this idea: "Phishing your own users"

I see Michael Farnum has responded to Terry Sweeney's blog post on Phishing your own users. I would just like to remind everyone that while intentions may be good, to remember the times people have tried this tactic with viruses. How many times did we [...]

Foxit Reader (may be) vulnerable

I came across this today, a Multiple Vendor PDF Document Catalog Handling Vulnerability over at MOAB. I was curious, so I decided to check it out and download the POC exploit code. The document failed to open on my Windows XP workstation using Foxit [...]

Black out and smudge, but don't blur

I'm at the airport right now, after having gone through an extensive, supposedly random TSA security screening and came across this article at dheera.net. In summary, the article states blurring sensitive text in photos is a bad idea. The reason being, [...]

Full disclosure: How about no security vulnerabilities in the first place?

Michael (LV) over at terminal23 hits the nail right on the head with the latest articles and blog posts regarding full disclosure and responsible disclosure. I'd rather hear from the community about a new security vulnerability than wait for a vendor to [...]

SANS Certifications, GSEC anyone?

As some of you know, I should be (hopefully) graduating this August. I'll be taking a couple classes this summer to finish up the credits I need and finally graduate. I've been thinking more and more about some entry-level security certifications but am [...]

PDF Readers, Vulnerabilities, Exploits... Oh My!

With the recent vulnerabilities in Adobe Acrobat/Reader and reported exploits, I just want to point you all to a free, light-weight self-executable PDF reader for Windows: Foxit Reader 2.0. It's super fast for simple text PDFs, however it sometimes has [...]

ShmooCon Tix, Hotels, and Meets

I couldn't take it anymore, so I bit the bullet and bought a ticket to ShmooCon for $150. Next thing I need to arrange are hotel accommodations. Wardman Park Marriott is too expensive for us poor college students, so I'll be looking into getting a room [...]

New Year's Resolutions

Happy New Year everyone! I had a great night with my friends and a lot of unneeded drama, but oh well. I'm disappointed I wasn't able to snag ShmooCon tickets for $75; they sold out in under three minutes! I'm still organizing a trip with several other [...]

Finding a middle between HTML and plain text E-mail

In response to Michael at mcwresearch and Michael (LV) at terminal23, I'm surprised there has been no middle-ground adoption that gives users ability to format text (colors, bold, italic, underline, bullets, etc), without the nastiness of HTML and [...]

BS ThreatCon Levels

Who else besides me thinks "ThreatCon" levels are bullshit? (not to be confused with vulnerability alerts) After checking out Slashdot this morning, I came across CERTStation, which attempts to aggregate current threat information into one page, entirely [...]

Social Networking Users: Say Goodbye to Privacy! nahhh

Alright, I just have to respond to this opinion regarding Social network users have ruined their privacy, forever. Just about anyone can read what's posted onto social networking websites like MySpace and FaceBook. 'Anyone' includes the intended audience [...]

My Security Predictions of 2007

Following everyone else and their "Security Predictions of 2007," I have some predictions of my own: I will be graduating in August with a Bachelor's Degree I will be looking for an entry-level position in security These are two predictions that I am [...]

Games for Security Geeks

For those who know me personally, will know I have barely any time for games. I always say that us network security geeks shouldn't be playing games, leave that to the smelly game design kids (j/k with ya guys). Well, here are a couple games I do approve [...]

Lots of "Insiders" Lately..

I've noticed a lot of discussion around news(some new, some old) articles this week related to "increased insider threats". To quote my own Slashdot post: "Viktor Cherkashin, a former KGB officer states in his book Spy Handler, people most often commit [...]

Nmap 4.20 Out

From the nmap-dev mailing list: From: Fyodor <fyodor_at_insecure.org> Date: Thu, 7 Dec 2006 20:19:00 -0800 Hi Everyone, I just posted the binaries for 4.20! Woohoo! This is the first "stable" release in almost 6 months, and contains tons of important [...]

Open Letter to Domain Registrars

Get right down to it! F-Secure has posted this letter asking domain registrars to double-check the names people register for domains to help combat phishing. The example they give is just one of many that go wild: Like, say, somebody trying to register a [...]

Nike + Ipod... nothing new

I've been seeing stories about the Nike+Ipod sport kit and how researchers have come up with a way to track people wearing them. This is nothing new, people have been able to do this for quite some time, called SIGINT (signals intelligence). You've been [...]

Security Bloggers Network

Alan Shimel of StillSecure created the Security Bloggers Network, a network of feeds with content relating to security. Check it out, it's a great way to see what other security pros, analysts, vendors, and anyone else in the industry is blogging about.

(IN)SECURE 1.9 Released

A new release of the (IN)Secure magazine is out. Version 1.9 - December 2006 [pdf]. Some highlights from this month's issue: Effectiveness of security by admonition: a case study of security warnings in a web browser setting Interview with Kurt Sauer, [...]

Leaking Secrets to China

China's at it again, this time having obtained information on secret technology used on the B-2 stealth bomber's engines. The data will now allow China to copy or counter weapons using the technology. Details of the classified defense technology related [...]

Capturing I's before O's

You're on the go, at the airport, at a coffee shop, whatever. You need to check your email or login to your bank account to make sure you have sufficient funds(I'd recommend against it, but people do it anyways). You sit down at a public internet [...]

Exploit kit dissected

Alex Rice of Websense Security Labs, dissected "Web-Attacker", one of the most popular exploit kits on the web. He recently got a hold of the source code and takes us step by step through it all. For those who do not know how Web-Attacker works, here's a [...]

Password Length >= Short/Complex

Roger at InfoWorld has been running a password-cracking contest for some time now and just recently received the first correct cracks at his first password: a 10-character password with normal complexity. The other two that have still yet to be cracked, [...]

For all the IS Managers

NIST has released SP800-100, Information Security Handbook: A Guide for Managers. I'm sure it'd benefit everyone in the security community, since you either are or one day will be a manager (or at least help make managers make more informed decisions). [...]

Classified Wiki?

The U.S. intelligence community recently unveiled Intellipedia, a top-secret wiki available to sixteen various agencies to share information and resources better. You can catch more on the story at GCN, Infowars, and a blog dedicated to Intellipedia! My [...]

Designing a New E-Voting Machine

With all the problems and flaws in electronic voting machines being exposed over the past couple months, I'd like to know why there hasn't been any effort in designing a new voting system from scratch. What does an electronic voting machine need to be [...]

HBO - Hacking Democracy

By now most of you have heard about how easy it is to hack a Diebold machine, and the blatent security flaws, such as not utilizing encryption or password protection. Well, HBO will be airing "Hacking Democracy" a documentary that exposes the [...]

ShmooCon CFP

The Shmoo Group is soliciting papers and presentations for the third annual ShmooCon. ShmooCon 2007 has 4 options for speaker submission.: One Track Mind - Technical Tales in Twenty Minutes or Less Break It! - Technology Exploitation Build It! - [...]

IAM Checklist

I've been getting some requests for what to look for when doing the on-site portion of an INFOSEC assessment, and put together a checklist derived from the 18 baseline classes and categories the NSA has specified. You can add/remove to this list as you [...]

PDF Backdoors

I've been following a discussion regarding backdooring PDF files on the full-disclosure mailing list originally posted by David Kierznowski and on eWeek. At his site, he discusses two techniques for exploiting Adobe Acrobat Reader and Professional. [...]

IAM Day 2

It's been a couple days since I attended day two of the IAM training, but I've been a little busy taking that information and preparing for our class' assessment of the school. On day two, we went over modules 3 and 4 (available at the IATRP website, for [...]

Day 1 of NSA's IAM

The IAM training has been going pretty well, even though it was just the first day. Today, the class went over the intital contact and pre-assessment phases. We defined the mission of our example organization (our customer) and identified points of [...]

NSA IAM... Security Assessment Methodology

This Tuesday and Wednesday I'll be attending a training session (held at my school) on the NSA's Infosec Assessment Methodology taught by Russ Rogers and Greg Miles of Security Horizon. The IAM is a vunerability assessment of an organization's security [...]

Security Engineering... for Free!!

I'm enthused to hear Ross Anderson has made his book, Security Engineering available online and FREE to download. He explains his reasoning at his website; to reach the widest possible audience, especially among poor students and being a supporter of [...]

The (In)Security of Locks

Here's a cool article [engadget], from the lockpicking event at DEFCON14 in Las Vegas. The author goes into some detail as to what the components of a lock are and how they work together. Also described is the history of "bumping" locks (as the 11 [...]

IBM to buy ISS

No... not the International Space Station (for you Slashdotters...) ARMONK, NY & ATLANTA - 23 Aug 2006: IBM (NYSE: IBM) and Internet Security Systems, Inc. (NASDAQ: ISSX) today announced the two companies have entered into a definitive agreement for IBM [...]

Silence on the Wire Review

`Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks <http://lcamtuf.coredump.cx/silence.shtml>`_ By Michał Zalewski I am a student studying information security and I've read many books lately on the subject. Silence on the [...]
blog comments powered by Disqus