Archive for Security
If you've ever assessed or poked at an application that uses Google Protocol Buffers, you know how painstaking the whole process can be. When you're lucky enough to have a corresponding .proto, crafting messages via generated API's is tedious. When you [...]
Posted by Marcin on Thursday, May 30, 2013 in
Security.
It's not uncommon for developers to accidentally (or purposefully) commit passwords or other information supposed to remain secret into revision control. It's also not uncommon to see RSA private keys indexed by Google, and GitHub made it even easier to [...]
Posted by Marcin on Thursday, February 21, 2013 in
Security.
Last year, I released the Jython Burp API, a plugin framework to Burp that allows running multiple plugins simultaneously, exposes an interactive Jython console, provides Filter-like functionality, and eases developing plugins at runtime by providing [...]
Posted by Marcin on Thursday, February 14, 2013 in
Security.
I've posted an entry over on my employer's blog on Penetrating Intranets through Adobe Flex Applications. I've also released a new tool along with it, called Blazentoo. This tool exploits insecurely configured BlazeDS Proxy Services, potentially allowing [...]
Posted by Marcin on Thursday, March 18, 2010 in
Security.
In my most recent post, I identified the direction and state-of-the-art in application security. We all know of the importance of application security in today's environments. However, finding out where to fit application security policies and programs [...]
Posted by Dre on Tuesday, July 28, 2009 in
Security and
Work.
It's that time of year again, where we all come out of hiding and meet in Sin City to cause nothing but trouble. The brave venture out into the scorching hot sun during the day and some even dare tempt the waters at Rehab. The rest of us wait until dark, [...]
Posted by Marcin on Monday, July 27, 2009 in
Conferences and
Security.
Recently, it has come to my attention that industry people I respect (and vice versa) have desired me to re-post some comments I've made on other blogs. It's also high-time that we at TS-SCI/Security begin writing again. I can tell you that since March [...]
Posted by Dre on Saturday, July 25, 2009 in
Security.
Virtual Infrastructure Security Facts The number of virtual servers will rise to more than 1.7 million physical servers by 2010, resulting in 7.9 million logical servers. Virtualized servers will represent 14.6% of all physical servers in 2010 compared [...]
Posted by Dre on Wednesday, March 18, 2009 in
Defense,
Hacking and
Security.
I thought I'd take a moment to post about some web security tools I use pretty often, which help as a security consultant when responding to various web hacking related incidents. These tools have helped me write my own scripts whenever I'm in a jam and [...]
Posted by Marcin on Monday, February 23, 2009 in
Security.
There is no doubt in my mind that some very strong experts out there have put WAF or WAF-like technology to good use. However, WAF is dead and dying regardless. I think that very large-installation, Internet-facing web applications require Anti-DDoS [...]
Posted by Dre on Thursday, February 12, 2009 in
Defense,
Politics and
Security.
Jim Manico invited Dre and I to join him with Brian Holyfield on this week's OWASP Podcast. Topics of discussion included our thoughts on web application security, WAFs, training, among others. Give it a listen, and tell us what you think. OWASP Podcast [...]
Posted by Marcin on Thursday, February 5, 2009 in
People and
Security.
Hey all, I'd like to introduce all of you to a new site Tyler Reguly and I, along with Romain Gaucher and Jay Graver set up last week, SSLFail.com. The site's purpose is to point out the failures in various sites' SSL implementations. We'll be publishing [...]
Posted by Marcin on Thursday, January 22, 2009 in
Security.
As many of you have probably already heard, SANS, in a combined effort with MITRE released the CWE/SANS Top 25 Most Dangerous Programming Errors. There have been numerous discussions on both the Secure Coding List and Webappsec mailing lists, along with [...]
Posted by Marcin on Friday, January 16, 2009 in
People,
Politics and
Security.
A recent email by Dave Aitel to the Dailydave mailing list on Pen testing web servers was an inspiration to publishing a short, but simple script. I like to keep things simple when I write scripts, taking the Unix philosophy of doing one thing and doing [...]
Posted by Marcin on Wednesday, December 31, 2008 in
Code and
Security.
This week, I was doing an internal penetration test for a client of a web service, which is used by applications loaded on kiosk machines around the country. I didn't have much time to do the test, so I had a couple advantages, like having network access [...]
Posted by Marcin on Sunday, December 14, 2008 in
Code,
Security and
Work.
Today I ran into a little setback for an issue I did not foresee. For the past several months, I've been on a PCI remediation project, of which one of my tasks was to implement a web application firewall to address PCI requirement 6.6. Now, for everyone [...]
Posted by Marcin on Thursday, November 20, 2008 in
Security and
Work.
In only a couple weeks, many of the greatest minds in web application security will come together again for OWASP EU Summit in Algarve, Portugal. The Summit is a gathering whose main goal is, besides promoting the exchange of ideas on web application [...]
Posted by Marcin on Saturday, October 18, 2008 in
Conferences and
Security.
Today, another vulnerability has been making the headlines, various industry security professionals predicting apocalyspe, genocide and famine along with everything in between. It first started earlier this summer, back when Dan Kaminsky, in a [...]
Posted by Marcin on Wednesday, October 1, 2008 in
News,
People and
Security.
Living in NYC has its perks, one being that we host the largest OWASP chapter across the world. The NY/NJ Metro chapter put a lot of effort into making sure this last week went smoothly, even with the change of venues at the last minute. I had a lot of [...]
Posted by Marcin on Friday, September 26, 2008 in
Security.
This is just going to be a long list of links with rants. I have taken up the duty of disseminating information on the latest in WiFi and Bluetooth penetration-testing for no real reason other than it's on the tip of my tongue. First, we have the [...]
Posted by Dre on Tuesday, September 23, 2008 in
Hacking,
Security and
Tech.
The OWASP AppSec NYC 2008 conference is only a couple days away, with training starting at 9AM on Monday. I will be attending the "Advanced Web Application Testing" training course with Eric Sheridan of Aspect Security. I'm really looking forward to this [...]
Posted by Marcin on Sunday, September 21, 2008 in
Conferences and
Security.
Jeremiah Grossman wrote in the opinion section for Application security in CSO Online magazine about Web Application Security Today -- Are We All Insane? I have an opinion of my own which I would like to share with my readers. Jeremiah spreads FUD -- [...]
Posted by Dre on Thursday, September 11, 2008 in
Security.
The bad: It's a front-end to WebKit much like Safari, with no bells-or-whistles The only add-ons are Web Inspector (from WebKit), Chrome's own Task Manager, and Chrome's own Java Debugger (they could have at least used Drosera which comes with Web [...]
Posted by Dre on Tuesday, September 2, 2008 in
News,
Security and
Tech.
Yesterday we celebrated tssci-security.com's two-year anniversary. I started this site on August 23rd, 2006 during my first internship, and oh my, how the time flew by. A lot of good things have come my way -- most as a direct result of this blog. The [...]
Posted by Marcin on Sunday, August 24, 2008 in
Conferences,
News,
People,
Security and
Work.
Did we learn anything about web application firewall technology this week? I hope so. However, my gut tells me there is an overriding feeling of ambiguity around this technology. People want WAFs, but they don't know why. Organizations everywhere think [...]
Posted by Dre on Friday, June 27, 2008 in
Defense and
Security.
[Andre and Marcin]: For today's post, we have a guest blogger, Rohit Sethi. We asked Rohit to do this guest post because we feel that his research, along with co-worker, Nish Bhalla, has been influential at solving some unique application security [...]
Posted by Rohit on Thursday, June 26, 2008 in
Defense,
People and
Security.
This post comes via WAF thoughts from Christian Matthies's blog circa one year ago. Christian starts out with a bang: [...] it seemed to me that quite a lot of people aren't aware of how effective such solutions in fact are. Basically I agree that [...]
Posted by Dre on Thursday, June 26, 2008 in
Defense and
Security.
Web application experts have been asking WAF vendors the same questions for years with no resolution. It's not about religion for many security professionals -- it's about having a product that works as advertised. My frustration is not unique. I am not [...]
Posted by Dre on Wednesday, June 25, 2008 in
Defense and
Security.
Hello, and welcome to the Week of War on WAF's, the same week that ends whereby PCI-DSS Requirement 6.6 goes into effect as a deadline for many merchants. Today is the first day. So far, Marcin has identified some of the problems with web application [...]
Posted by Dre on Monday, June 23, 2008 in
Defense and
Security.
We've been beating the drum for some time now, expressing our opinions of web application firewalls (WAFs). You might have sided with us on this issue, are against us, or are just tired from it all by now. This post is about to change all that, and show [...]
Posted by Marcin on Monday, June 23, 2008 in
Defense,
Security and
Work.
We all know about the CISSP. You've heard the whispered hallway conversations. You've seen the business cards, the email signatures, and the government contract requirements. You might even know the secret handshake, or have the magical letters attached [...]
Posted by Dre on Thursday, June 19, 2008 in
Security and
Work.
I see that the BlackHat Blogger's Network has a topic of interest. I'll oblige, especially since The Hoff is involved. I think it's a good exercise, so I'll have to thank Shimel for this idea. You also won't want to miss what I've said about [...]
Posted by Dre on Wednesday, June 18, 2008 in
Defense,
Security and
Tech.
Last week, Richard Bejtlich reviewed "Nmap in the Enterprise," and for the most part, was largely disappointed with it's lack of enterprise context. My last script, tissynbe.py, parsed Nessus results in nbe format and inserted them into a MySQL database. [...]
Posted by Marcin on Sunday, June 15, 2008 in
Code and
Security.
Apparently Laura Chappell and Mark Curphey were presenting at the Microsoft TecEd 2008 Security Track last week. I haven't heard too much about what happened as a result, and I really wish I was there to see them speak about their respective topics. For [...]
Posted by Dre on Sunday, June 15, 2008 in
Conferences,
People,
Security and
Tech.
I wanted to do a post about "what web application security really is" because plenty of people out there don't get it. They understand that "security attacks are moving from hosts to the Web", but they have no idea what that means. To most people, web [...]
Posted by Dre on Sunday, June 15, 2008 in
Defense,
Hacking and
Security.
Today I am going to cover a topic that is the most important to me: software security. When I talk about "software security", I refer to the process of building applications -- the artifacts, components, and capital that goes into making a polished [...]
Posted by Dre on Thursday, May 29, 2008 in
Code,
Defense and
Security.
My good friend Arshan Dabirsiaghi at Aspect Security released an interesting paper today on Bypassing VBAAC with HTTP Verb Tampering. For those who don't know what VBAAC is, it stands for "Verb-Based Authentication Access Control." Unfortunately, most [...]
Posted by Marcin on Wednesday, May 28, 2008 in
News and
Security.
I mentioned in previous posts that I had been working with Nessus -- I used it a lot. At the end of the engagement, we had almost a gigabyte of Nessus data saved in nbe format. So to quickly go through and analyze all the results, inserting it into a [...]
Posted by Marcin on Friday, May 23, 2008 in
Code and
Security.
Arbor Networks has a blog post up today about Using RPKI to Construct Validated IRR Data. Resource PKI (RPKI) is an extension to X.509 to allow for IP address (prefix) and AS identifiers (autonomous system numbers -- the organization-based assigned [...]
Posted by Dre on Wednesday, May 7, 2008 in
Defense and
Security.
In October of 2006, a vulnerability in IE7 known as the "mhtml:" Redirection Information Disclosure was discovered. RSnake wrote up a post about how nasty it was. The basics: it took over the entire browser experience. Fortunately, the bug was patched [...]
Posted by Dre on Wednesday, May 7, 2008 in
Conferences,
Hacking,
Privacy and
Security.
So the other day I get a call from the forensics team at work asking for help with some packet analysis. A client's users had reported phishing activity, so they decided to run a full-content capture using Wireshark on the external and internal network [...]
Posted by Marcin on Monday, May 5, 2008 in
Security and
Work.
Not to be outdone by Neohapsis Labs, NSS Labs also enters the fray with their blog, Security Product Testing. Again, I think that NSS Labs (like Neohapsis Labs) has been blogging for awhile, but it has picked up more pace lately. In the past, the TS/SCI [...]
Posted by Dre on Monday, May 5, 2008 in
News,
Privacy and
Security.
At last year's Blackhat US 2007, the dominant discussion was around Joanna Rutkowska and Alex Tereshkin's "New Blue Pill" vs. Peter Ferrie, Nate Lawson, and Tom Ptacek's VT-x Rootkit Detection techniques. This included some follow-up material on the [...]
Posted by Dre on Tuesday, April 29, 2008 in
News and
Security.
'Lo and behold, CERT has an excellent document on Securing your web browser! They cover IE, Firefox, and Safari -- three secure references for the three most popular browsers. The documentation and links provided are great. I was actually surprised that [...]
Posted by Dre on Tuesday, April 29, 2008 in
Defense,
Privacy and
Security.
The fine folks over at Neohapsis Labs appear to have a new blog focused on security related information. Technically, I guess they've had it up since January, but the posts are more frequent now. I just added them to my RSS feeds. Both Mike Murray and [...]
Posted by Dre on Monday, April 28, 2008 in
News,
Privacy and
Security.
Day one of PWN2OWN was unsuccessful, which is no big surprise. But today, I am really hoping for something -- otherwise we'll have to wait until tomorrow for the third-party clieint-side exploits. Here's a little summary I wrote a bit back on how to [...]
Posted by Dre on Thursday, March 27, 2008 in
Apple,
Conferences,
Hacking,
Linux,
Security and
Windows.
You installed Firefox. How do you make it more secure for daily use? How do the Mozilla developers ensure that they are doing all the right things? How do you safely browse the Internet? These are not easy questions to answer, and some of the answers [...]
Posted by Dre on Tuesday, March 25, 2008 in
Defense and
Security.
Let's take some time here to discuss what "secure code review" is and what it is not. I see a lot more people talking about code review. Many people have only the view of the PCI DSS compliance standard, which almost pits code review against the web [...]
Posted by Dre on Monday, March 24, 2008 in
Defense and
Security.
I've downloaded and used the Firefox 3 beta browser software for the past few months and wanted to give a report on the latest of what works and what doesn't. Note that I had to install Nightly Tester Tools to get many of these to work. I am also now [...]
Posted by Dre on Monday, March 24, 2008 in
Defense,
Hacking,
Security,
Tech and
Windows.
Lesson 13: Just this week, in lessons 12 and 13, we've covered -- at least partially -- how to significantly reduce risk and vulnerability to system and network infrastructure. We touched on protecting applications, but we weren't able to go into [...]
Posted by Dre on Thursday, March 20, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 12: Yesterday, I shamelessly recommended to ditch all commercial networking gear. In the same breath, I also made several Cisco configuration recommendations. This is just the way that I work. The idea is that network appliances increase risk, but [...]
Posted by Dre on Wednesday, March 19, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 11: Welcome back! I know that the last few weeks have been a lull, and even before ShmooCon there wasn't a lot going on our security blog. However, you're in for a real treat since I'm back with the daily ITSM Vulnerability Assessment techniques! [...]
Posted by Dre on Tuesday, March 18, 2008 in
Defense,
Hacking,
Itsm and
Security.
Taking care of business Before I get into this post, I wanted to give you some updates on progress of other projects here at TS/SCI Security. First off, I've been working on the OWASP Evaluation and Certification Criteria Project and hope to announce [...]
Posted by Dre on Monday, March 17, 2008 in
Hacking,
Security and
Work.
Recently, I finished reading "The New School of Information Security" by Adam Shostack and Andrew Stewart. It's only about 200 pages, so it's certainly worth your time to pick up and read. Some people will compare it to "Security Metrics" by Andrew [...]
Posted by Dre on Monday, March 17, 2008 in
Books,
Privacy and
Security.
Before Mike Rothman posted something about the WhiteHatSec and F5 announcement, I really wasn't going to say anything negative or positive. Integrating web application security scanners with web application firewalls at first seems like a good idea. [...]
Posted by Dre on Tuesday, March 11, 2008 in
Defense and
Security.
Tomorrow, February 28th, is the first ever meeting for the brand new Hartford Owasp chapter. James McGovern, the chapter lead has been putting some effort into starting it off with a bang, so I hope everyone in the NY/CT/Mass area can make it. Agenda for [...]
Posted by Marcin on Thursday, February 28, 2008 in
Conferences,
People and
Security.
On Sunday, we had some technical difficulties getting my laptop to work with the projector. In a scramble to get things up and running, I forgot to send the backup screenshots I had taken just in case. Ughh.. first conference talk I give, and everything [...]
Posted by Marcin on Tuesday, February 19, 2008 in
Conferences and
Security.
We're back from a great weekend in Washington, D.C. at ShmooCon 08'. Dre and I arrived Thursday night just in time for the bar to close and with having no hotel room reserved, we were in for a long night. Interestingly enough though, at around 5am, we [...]
Posted by Marcin on Tuesday, February 19, 2008 in
Conferences,
People and
Security.
We have received details from ShmooCon with the scheduled day and time of our talk. We have been scheduled for the last talk on Sunday at 12pm noon (before the room split) on the "Build It" track. I'm not sure whether that's a good thing or bad thing, [...]
Posted by Marcin on Sunday, February 17, 2008 in
Conferences and
Security.
Marcin and I were talking a bit about mainframe security today. I recalled how fantastic mainframes were while he had his hands in the trenches. Yes, I know that IBM renamed MVS to z/OS (as well as other things) years ago. However, the concepts remain [...]
Posted by Dre on Tuesday, February 5, 2008 in
Hacking,
Linux,
Security and
Tech.
I often sound like a Linux bigot. Before I was a labeled as a Linux bigot, I was considered a classic FreeBSD bigot (so you would think I like Mac OS X, but I don't). Before everyone tagged me as a FreeBSD bigot, I again gave the impression of being a [...]
Posted by Dre on Tuesday, February 5, 2008 in
Security and
Windows.
The other night, we had the special privilege of being guests on Martin McKeay's Network Security Podcast with co-host Rich Mogull. While having a great time several weeks ago at SunSec, and several beers into the night, we tricked Mogull into letting us [...]
Posted by Marcin on Wednesday, January 30, 2008 in
People and
Security.
I have one ShmooCon ticket available for $300. Contact me if you are interested. Why do I have one ShmooCon ticket for sale? I bought it in case we didn't get accepted to ShmooCon, but we did! Dre, Tom Stracener of Cenzic (and formerly nCircle), and I [...]
Posted by Marcin on Monday, January 28, 2008 in
Conferences,
Other and
Security.
Here's a new 2008 security prediction for you -- The iPhone camera is an odd device. There is no notification that a picture is being taken, so the only requirement for malware is to wait for user activity and then start taking pictures. My prediction is [...]
Posted by Dre on Sunday, January 27, 2008 in
Apple,
Hacking,
Privacy,
Security and
Tech.
Lesson 10:You could say I'm a little late on posting something. However, we've been up to a lot of great research, hopefully much of which we'll publish here over the next few weeks. We had a few posts lately, some of with a change of heart. The latest [...]
Posted by Dre on Wednesday, January 23, 2008 in
Defense,
Hacking,
Itsm and
Security.
Web application security scanners have not matured much. I guess patent wars and company-buyouts have caused a lot of stagnation over the past year. However, I think the problems may run deeper than just controversy and industry drama. AppScan DE and [...]
Posted by Dre on Monday, January 21, 2008 in
Security and
Tech.
Lesson 9:Yesterday was a bit of a whirlwind, discussing BGP, Whois/RWhois, and the DOM all in one big post. I'll try and keep it short and sweet today. Arshan Dabirsiaghi (leader of the OWASP Anti-Samy Project), commented on yesterday's post regarding [...]
Posted by Dre on Thursday, January 17, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 8:Two days ago we covered VoIP assessments, and yesterday we covered Intranets and the use of proxies. Most of last week also covered internal network infrastructure assessments, except for some topics such as PDA phones and WiFi devices. Today I [...]
Posted by Dre on Wednesday, January 16, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 7: Today I wanted to bring the real meaning behind these techniques into the spotlight. Learning about how IT groups do real security is only part of this. I'm also talking about what I've seen that IT security shops don't do. What [...]
Posted by Dre on Tuesday, January 15, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 6: Last week was great as I started out talking about a variety of topics including -- Day 1 -- Physical network segmentation / Browser tools Day 2 -- Kernel protection in network drivers / Crawling tools Day 3 -- Sandboxing / HTTP tools Day 4 -- [...]
Posted by Dre on Monday, January 14, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 5:After the first week, many of these assessment techniques don't all fit together or seem congruent. Mid next-week, I think a lot of these pieces will start to come together to form a big picture. The recommendations I've given so far are not [...]
Posted by Dre on Friday, January 11, 2008 in
Defense,
Hacking,
Itsm and
Security.
Last night Rich Mogull of Securosis, and co-host of Network Security Podcast, hosted SunSec (which was on hiatus for far too long) at the Furio in Scottsdale. It was a great turnout last night -- about twenty people had shown up and talked up all kinds [...]
Posted by Marcin on Friday, January 11, 2008 in
Conferences,
People and
Security.
Lesson 4: We've touched on some of the critical-path ways to assess and protect your infrastructure including network segmentation and OS/application sandboxing. Often, the weakest area of technology is what you can't segment or sandbox effectively, [...]
Posted by Dre on Thursday, January 10, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 3: After the first few days, we've covered securing WiFi, as well as basic software assurance tools to get you started with a web browser and crawler. This is just the beginning. Part 1: Information assurance vulnerability assessment â Sandboxing [...]
Posted by Dre on Wednesday, January 9, 2008 in
Defense,
Hacking,
Itsm,
Linux and
Security.
Lesson 2: We hope that you are enjoying the format of these, as well as the content. Yesterday, I talked about how rogue AP's/clients can be scanned for without adding infrastructure or spending active time walking around the office. I also introduced [...]
Posted by Dre on Tuesday, January 8, 2008 in
Defense,
Hacking,
Itsm and
Security.
Lesson 1:These techniques are in two-parts, 1) Information assurance strategies, and 2) Software assurance tools. My feeling is that vulnerability assessments are typically done less strategically/operationally in IT environments (relying too much on [...]
Posted by Dre on Monday, January 7, 2008 in
Defense,
Hacking,
Itsm and
Security.
Sorry I haven't posted in forever. Dre's been covering for me while I've been super busy with finishing up school, reading, work, and other projects. I think Dre's packed more information in the last month than I did all year. 2007 Security Testing Tools [...]
Posted by Marcin on Friday, December 21, 2007 in
Security.
Linux.com is running a feature article on Building Secure Web Applications with OWASP. We're trying to Slashdot it, so everybody who reads this -- go and do that right now! The article is good and features quotes from Josh Sweeney of SecurityDistro.com. [...]
Posted by Dre on Thursday, December 20, 2007 in
Security.
I made an epic post to the LSO forums a few minutes ago. I felt the need to re-post a portion of it here. While meeting Joe earlier this evening, who is one of the founders of LearnSecurityOnline, I was inspired to think and write about XSS and a variety [...]
Posted by Dre on Tuesday, December 18, 2007 in
Hacking and
Security.
*Update on the TS/SCI Security Blog* First of all, I would like to announce that I will be retiring the long, diluted threads that have recently appeared on the TS/SCI Security Blog. This is the last of the "longer" threads I've been saving up for our [...]
Posted by Dre on Monday, December 17, 2007 in
Hacking and
Security.
Office collaboration services look like 1985 Microsoft Outlook and Exchange server have been the staple for office collaboration for over 10 years, with a model that has been around since Novell and Lotus in the mid-80's. Collaboration services are [...]
Posted by Dre on Thursday, December 13, 2007 in
Defense,
Hacking,
Security and
Work.
An audit framework for evaluating structured security program frameworks How many readers implemented a new security plan for 2006 or 2007? How many had clients that implemented a new security program? Which frameworks were involved? Possible frameworks [...]
Posted by Dre on Monday, December 10, 2007 in
Defense,
Hacking,
Intelligence,
Politics,
Security,
Tech and
Work.
Here's a quick post to decrease your exposure to attacks against web application vulnerabilities. A couple months ago, I posted an article that detailed 8 Firefox extensions for safer browsing. In addition to the extensions listed in that post, I use [...]
Posted by Marcin on Sunday, December 9, 2007 in
Security.
Chris Hoff published his 2008 Security Predictions, which offer a very dim future for the security industry. His first attack vector is regarding the virtualization hypervisor attacks. Didn't Ptacek prove that this vector is useless? I'm starting to see [...]
Posted by Dre on Wednesday, December 5, 2007 in
Defense,
Hacking and
Security.
This post isn't intended to be a retort to Jeremiah Grossman's post last month on Why crawling matters, but more of a follow-up post to my latest blog entry on Why pen-testing doesn't matter. Hint: both pen-testing and crawling are still [...]
Posted by Dre on Sunday, December 2, 2007 in
Security.
Pen-testing is an art, not a science Penetration-testing is the art of finding vulnerabilities in software. But what kind of an "art" is it? Is there any science to it? Is pen-testing the "only" way or the "best" way to find vulnerabilities in software? [...]
Posted by Dre on Sunday, December 2, 2007 in
Defense,
Hacking,
Security and
Tech.
In my last post, I explored some ways of using formal method tools to perform security testing in the most advanced scenarios. It may have been over the heads of many people, so I wanted to offset that by talking to some basic tools which I think anyone [...]
Posted by Dre on Saturday, November 24, 2007 in
Hacking and
Security.
Most information security practices, whether system, network, application, software, or data -- come from original sources such as the Orange Book. Most people assume that the Orange Book is no longer valid for use in security today. If we had built [...]
Posted by Dre on Friday, November 23, 2007 in
Defense and
Security.
Roger Halbheer, Chief Security Advisor for Microsoft Europe, Middle East, and Africa posted a comment last week in response to my post on "Operating Systems are only as secure as the idiot using it." Roger is looking for some open discussion on improving [...]
Posted by Marcin on Monday, November 19, 2007 in
Security.
So the other day I was doing a web site review and looking for XSS issues. I came across one ASP form that used various URL parameters to make up parts of the form. Well, I poked around and and tried injecting the usual, <script>alert('xss')</script>. [...]
Posted by Marcin on Thursday, November 15, 2007 in
Security.
So this week, we've had a roundup of posts on Apple's latest OS X release, Leopard, and the security "features" that went into it, where they fall short, and what's missing. Thomas Ptacek has a great post over at Matasano with even more insightful [...]
Posted by Marcin on Thursday, November 1, 2007 in
Apple,
Linux,
Security and
Windows.
This is the second blog post covering Sunday's talks at ToorCon 9. You can read the first installment here. After a hard night of partying, I didn't want to get out of bed early in the morning. Gotta give props to Hikari for foreseeing this and not [...]
Posted by Marcin on Thursday, October 25, 2007 in
Conferences,
Hacking,
People and
Security.
This weekend I was in San Diego, California for ToorCon 9 and had an absolute blast. On Friday, I had checked out the USS Midway Aircraft Carrier Museum and enjoyed listening to veterans recount fascinating experiences on the ship during the war. I took [...]
Posted by Marcin on Monday, October 22, 2007 in
Conferences,
Hacking,
People and
Security.
Crawling and scraping rarely get discussed in a security context because everyone is too busy creating cute mashups and messaging their MySpace friends. I recently read Webbots, Spiders, and Screen Scrapers from NoStarch Press. The author uses PHP-CURL [...]
Posted by Dre on Thursday, October 18, 2007 in
Security.
Several of us are going to ToorCon 9 this weekend in San Diego, California. I'm flying out tomorrow (Friday) morning and I plan on visiting some sites around town, such as The Aircraft Carrier/USS Midway Museum and then head up to Little Italy in the [...]
Posted by Marcin on Thursday, October 18, 2007 in
Conferences,
People and
Security.
In my earlier article on Using Google Analytics to Subvert Privacy, I demonstrated how dangerous free tools could be to match privacy information to web clicks. But now that Google has updated their Analytics service to support internal search queries, [...]
Posted by Dre on Wednesday, October 17, 2007 in
Conferences,
News,
People,
Privacy,
Security and
Tech.
A lot of commotion has recently been stirred up around California Governer's, Arnold Schwarzennegar's recent vetoing of a bill (AB 779) that would strictly mandate all merchants to comply with. Many have scoffed at the Governer's "caving to lobbyists and [...]
Posted by Marcin on Tuesday, October 16, 2007 in
Politics,
Privacy and
Security.
Been busy the past couple days, just started work again and haven't gotten around to posting. I promise though, there'll be stuff coming up soon. In the mean time, enjoy latest comic from xkcd: Exploits of a Mom |exploits_of_a_mom.png|
Posted by Marcin on Tuesday, October 9, 2007 in
Security.
This is in reply to Richard Bejtlich's post, "Someone Please Explain Threats to Microsoft." Richard takes issue with people (especially those who should know better) who misuse defined terms. We say a lot of things with the expectations of those who are [...]
Posted by Marcin on Wednesday, October 3, 2007 in
Security.
Chris Eng of Veracode, attended the first PCI Community Meeting in Toronto, an organized panel that brings QSAs, ASVs and those subject to PCI together with the PCI DSS council, and lives toblog about it. Several days ago, I posted some thoughts on the [...]
Posted by Marcin on Friday, September 21, 2007 in
Security.
Get it here. Papers include: Real-time Steganography with RTP PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3 Getting out of Jail: Escaping Internet Explorer Protected Mode OS X Kernel-mode Exploitation in a Weekend A Catalog of Windows [...]
Posted by Marcin on Tuesday, September 18, 2007 in
Security.
When I finished reading through PCI DSS v1.1 the other night (for like the fifth time), several requirements continue to jump out at me. To understand the PCI requirements, we first need to understand what is subject to PCI. From the standard, PCI DSS [...]
Posted by Marcin on Sunday, September 16, 2007 in
Security.
Over the last few years I have been finding ways to tweak my FreeBSD systems for better security and performance. One of the techniques that I used most often was tweaking kernel parameters using sysctl. As you may have known from previous posts I am now [...]
Posted by Casey on Thursday, September 13, 2007 in
Apple and
Security.
Marcin decided to take the day off with pay and allow me to share with you a guest blog post. Thanks, Marcin! Hello, my name is Andre and I'm a blogoholic. On with the post! With the popularity of MySpace also came the desire to track others who look at [...]
Posted by Dre on Wednesday, September 12, 2007 in
Privacy and
Security.
Single-user mode by default is available on OS X without a password. This is not a desirable system behavior and to remedy this, all that is needed are a few simple commands. To enable a higher level of security we can set an "Open Firmware Password". On [...]
Posted by Casey on Wednesday, September 12, 2007 in
Apple and
Security.
We try and secure our data, our systems, and people as best we can. We spend months evaluating and deploying firewalls, IDS, IPS, NAC, A/V, A/S, anti-spam, proxies, VPN, etc. Hopefully, you create matrices of each product you consider purchasing based on [...]
Posted by Marcin on Monday, September 10, 2007 in
Security.
I just read an excellent post by Mark Curphey on "The types of testing," part 2 in his 5 part series on "The Art of Scoping Application Security Reviews." Dre responded with some good commentary almost as long as the original post. One quote towards the [...]
Posted by Marcin on Tuesday, September 4, 2007 in
Security.
Boss, I Think Someone Stole Our Customer Data The way Hoff puts it, sounds all too familiar. I can't count the number of times I've heard people talk about their systems and believe they're as secure as can be because they did one, some, or all of the [...]
Posted by Marcin on Thursday, August 30, 2007 in
Security.
I've been backlogged lately, mostly due to taking a trip up to Lake Winnipesaukee, NH, getting a BlackBerry 8800, and my birthday. I've added a whole bunch of articles to my "toread" list, which I hope to get to soon and comment on. Computer security [...]
Posted by Marcin on Wednesday, August 29, 2007 in
Security.
Last year, a colleague pointed me to an article by Roland L. Trope in September/October 2006 IEEE Security & Privacy, Immaterial Transfers with Material Consequences. From the abstract: The need for such regulations is clear, but many firms underestimate [...]
Posted by Marcin on Wednesday, August 22, 2007 in
Defense and
Security.
Web 2.0 has (re)introduced a wide variety of attack vectors that can be used against Internet users to steal sensitive information, control the web browser, and more. The security industry has seen a shift from concentrating on the servers that house [...]
Posted by Marcin on Wednesday, August 15, 2007 in
Privacy and
Security.
For those living in Phoenix, Desert Code Camp is upon us. All morning and afternoon on Saturday, September 15 will be full of sessions that are all about code. My friend Adam Muntner (founder of QuietMove and contributor to Security Catalyst) will be [...]
Posted by Marcin on Monday, August 13, 2007 in
Conferences and
Security.
The other day I posted about a problem regarding the default behavior under OS X, which ignores permissions for mounted firewire drives. I decided to look for a solution to this rather than relying on administrators to set the proper option. What I [...]
Posted by Casey on Thursday, August 9, 2007 in
Apple and
Security.
When you mount a firewire hard disk under OS X it will mount with the 'Ignore ownership on this volume' option set. What this means is that owner information and file permissions will be ignored. Apple does this so that you can share a disk across [...]
Posted by Casey on Wednesday, August 8, 2007 in
Apple and
Security.
I am an avid OS X user and will be posting tools and security information regarding OS X regularly. I often need to create secure passwords that are easy to remember and today I found the perfect tool for doing this. It's called QuickPass and it's a [...]
Posted by Casey on Tuesday, August 7, 2007 in
Apple and
Security.
Ryan Naraine of ZDNet points out a Greasemonkey script that blocks Gmail cookie-theft attacks. The script can be downloaded here, and it redirects Gmail to use a "secure" HTTPS connection. You can modify the script to @include redirect any site that has [...]
Posted by Marcin on Tuesday, August 7, 2007 in
Privacy and
Security.
DEFCON15 is this Friday and I'll be in Vegas Thursday night. I'll be without Internet access this weekend, but I'll try and post something up for Sunday. If anybody wants to meet up, send me an email. Gonna be a good weekend. Some of the talks I'm [...]
Posted by Marcin on Monday, July 30, 2007 in
Conferences and
Security.
Recently, we've heard a lot of talk about P2P apps and data leakage concerning various members of Congress. It started with this article over at NetworkWorld, followed up by the guys at nCircle, directing criticism towards Congree from Techdirt, comments [...]
Posted by Marcin on Sunday, July 29, 2007 in
News,
Politics,
Security and
Tech.
Back in May, I attended a meeting to get a feel for the company and group I would be working for this summer as an IT Security Intern. Much to my surprise, Richard Bejtlich was in attendance and as it turned out we'd be working for the same company. [...]
Posted by Marcin on Thursday, July 26, 2007 in
People and
Security.
kuza55 noted this morning that Firefox 2.0.0.5 has implemented support for httpOnly cookies. It's not perfect, as ma1 pointed out in the comments, but it's better than nothing. The Firefox browser could be made even more secure by building NoScript, [...]
Posted by Marcin on Thursday, July 19, 2007 in
Privacy,
Security and
Tech.
C'mon guys, what in the hell are you releasing a .1 for just to fix four lines of code. I realize that an exploit in netfilter could be a serious issue, but netfilter doesn't belong in the kernel to begin with; it should be userland code. Grrrr. This is [...]
Posted by Casey on Wednesday, July 11, 2007 in
Linux and
Security.
So your DNS team sends you the company's entire domain name inventory in a CSV (comma-separated values) file. You're tasked with port scanning those hosts, to perform a network inventory, discover rogue services and other policy violations. It's simple [...]
Posted by Marcin on Monday, July 9, 2007 in
Security and
Work.
|thumb_img_2472.jpg|I passed up a chance to get an iPhone last week because I couldn't spare the time to wait in line for it. I was headed to New Hampshire to stay up at Lake Winnipesaukee with some friends and watch the NASCAR Modified, Busch, and [...]
Posted by Marcin on Tuesday, July 3, 2007 in
Security and
Tech.
I've been real busy lately, but I came across several blogs and articles this week that I'd like to share, Andrew Hay style. =) CEO Crime & Punishment -- Ben Horowitz, CEO of Opsware Inc., shares his thoughts on what entices executives to commit white [...]
Posted by Marcin on Thursday, June 28, 2007 in
News,
Privacy,
Security and
Tech.
Several people in the corporate IT security group where I'm interning this summer have been working hard on creating a program to educate users on the company's acceptable use policies and some basic security awareness. They've done a great job and the [...]
Posted by Marcin on Tuesday, June 26, 2007 in
Security and
Work.
Using Yahoo! Pipes, I tied in over 100 different security blogs into a single feed, sorted by newest on top, and encompasses all areas of security. When I have some more time I'll add security news sites like DarkReading, SecurityFocus, etc. I know Mark [...]
Posted by Marcin on Wednesday, June 20, 2007 in
Security.
I was directed through RSnake's blog to a XSS defect in Yahoo! Services and had a couple questions concerning secure design of web applications... So here's the scenario, A user is authenticated by a device between himself and the application he's [...]
Posted by Marcin on Friday, June 15, 2007 in
Security.
I came across a neat little command that will allow you to SSH through an http-proxy. Useful for when you're at a library or elsewhere and need to make an outbound SSH connection and the only thing stopping you is a proxy. Features of connect.c are: [...]
Posted by Marcin on Saturday, June 9, 2007 in
Security.
Mikko @ F-Secure made a post on their blog about whether or not law enforcement organizations should be permitted to utilize security tools and hacking techniques in investigations that got me thinking. To me the answer to this question is very clear -- [...]
Posted by Casey on Tuesday, June 5, 2007 in
Politics,
Privacy and
Security.
I started working on a project that has no doubt, been done before. It's something no one has publicly posted information on and it's not new -- something everybody wants yet every vendor says is impossible. The problem with this project, is it can't be [...]
Posted by Marcin on Saturday, June 2, 2007 in
Security and
Work.
Christopher Soghoian has an excellent remote vulnerability disclosurereport concerning Firefox Add-ons. More than several extensions from various 3rd parties are vulnerable to man-in-the-middle attacks. Q: Who is at risk? A: Anyone who has installed the [...]
Posted by Marcin on Thursday, May 31, 2007 in
Security.
Andrew Hay writes: Dell & Google Secretly Installing Software to Make Money Off Your Typos Those bastards, how is this business practice not illegal? New Dell machines that include the Google toolbar as part of a marketing agreement also include a secret [...]
Posted by Marcin on Thursday, May 24, 2007 in
News,
Privacy,
Security and
Tech.
Is anyone in the Hartford, Connecticut area between Boston and Manhattan interested in a CitySec meetup? I'm gauging interest for those located between the two cities (like myself). Anybody care to share a trip report for BeanSec or NYSec meetings?
Posted by Marcin on Wednesday, May 23, 2007 in
Security.
Last week, I blogged about data classification and how it's difficult for many organizations to gain control of. The next day SearchSecurity published Data classification is first step in successful data protection, an article that addresses the need to [...]
Posted by Marcin on Wednesday, May 23, 2007 in
Privacy and
Security.
(Continued from Consumerization of IT and state of the security industry and a reply to Low probability but a devestating impact.) After lunch, we broke up into several groups and I headed to the discussion on "next generation threat analysis," which [...]
Posted by Marcin on Thursday, May 17, 2007 in
Security and
Work.
Yesterday was a bit of a surprise for me, I met someone I never would have expected to meet and be an actual co-worker too. There were several talks today, focusing on the "consumerization" of IT, the state of the security industry from a Wall Street [...]
Posted by Marcin on Thursday, May 17, 2007 in
Security and
Work.
I've been too busy to blog this week and haven't had any ideas for any new topics. Tomorrow (Wednesday and Thursday) I'll be attending my company's internal security "conference" to discuss the issues and projects IT Security faces. I'm interning at this [...]
Posted by Marcin on Tuesday, May 15, 2007 in
Security and
Work.
if everybody was honest with themselves and others. If people didn't break into other people's houses, bank accounts, commit acts that are criminal and deprive (or take advantage of) others' rights, we wouldn't need security. Remember the days you could [...]
Posted by Marcin on Thursday, May 10, 2007 in
Security.
A thread that has gotten some attention and even sparked some bloggers to tag each other with their own stories, I thought I'd post my own "how I got started." I'm twenty years old and my area of study since I graduated high school has been network [...]
Posted by Marcin on Wednesday, May 9, 2007 in
School,
Security and
Work.
So, I was wading through all the garbage on digg today and came across Jim Rapoza's 12 Ways to Be a Security Idiot. It got me thinking about all of the dumb and insecure practices that I saw while I was working for the City of Tempe here in Arizona. [...]
Posted by Casey on Wednesday, May 2, 2007 in
Security.
Good stuff. I just find it hilarious when people watch CSI or all these other movies and think hacking or recovering data off a hard drive is so flashy and cool. Or better yet, completely retarded. It's a UNIX system! I know this! Cookie to the first [...]
Posted by Marcin on Monday, April 30, 2007 in
Security and
Tech.
In a month, I begin a new internship for a Fortune 100 company. Having already spoken with a member of the security team, I can expect to be placed in one of four areas in IT security, including web application security and forensics/incident response. I [...]
Posted by Marcin on Thursday, April 26, 2007 in
Security and
Work.
My first hack that I remember, was in sixth grade (1996 or so??). We had a lab full of Macintosh computers, which I had no clue about or anything at the time, other than we logged into them and had a folder for our documents and another folder containing [...]
Posted by Marcin on Tuesday, April 24, 2007 in
Security.
So I hit up the Security Bloggers Network and what do I see? A post on Technobabylon with a bunch of penises (sp?) some Indian dude with a Swastika shirt, and a whole slew of personal infromation.. Someone doesn't like Ross Brown or eEye Digital [...]
Posted by Marcin on Friday, April 20, 2007 in
Security.
I'm looking for suggestions on any tools to reverse engineer programs for Windows based systems. I have the *nix and BSD bases covered; I'm just lacking a good, Windows toolkit. Particularly, tools to analyze memory, disassemble, debug, etc... I've heard [...]
Posted by Marcin on Wednesday, April 18, 2007 in
Security.
h1kari, not long ago at ShmooCon 2007, presented (*.mp4) his custom Field-programmable gate array optimized for cracking WEP and WPA encryption. It performed in some cases over 400% faster than a Pentium 4 or Athlon64. The reason why the chip performs so [...]
Posted by Marcin on Tuesday, April 17, 2007 in
Security and
Tech.
From F-Secure Weblog : News from the Lab, (spoiler: answer below) Question of the day: How come you get over 160,000 hits when you search Google for "d41d8cd98f00b204e9800998ecf8427e"? Pretty much the same thing for [...]
Posted by Marcin on Tuesday, April 17, 2007 in
Security.
And the post of the day goes to Mike Rothman, and his comments on Javelin's research survey that claims 77% of 2750 consumers said they would not shop at stores that suffered data breaches. I think this number is crap. Why? The analogy I'll use is [...]
Posted by Marcin on Monday, April 16, 2007 in
Politics,
Privacy and
Security.
A funny slide taken from Windows WSYP Project: Security is (or will be) your job. Security is your life. You are security for your org. If you wanna be good, there are things you have gotta know-- How to say "I don't know" How to say "That's not allowed" [...]
Posted by Marcin on Monday, April 16, 2007 in
Security.
To get Kismet to run under the ipw2200 driver, simply edit /etc/kismet/kismet.conf. Here is the diff -u output: --- kismet.conf.orig   2007-04-03 13:51:29.000000000 -0700 +++ kismet.conf 2007-04-03 13:53:55.000000000 -0700 @@ -7,10 +7,10 @@ [...]
Posted by Marcin on Thursday, April 12, 2007 in
Linux and
Security.
LonerVamp has been watching ShmooCon videos all day long and has posted his thoughts on several of them. My favorite talks (that have been uploaded) from ShmooCon are the following: A Hacker Looks at 50 Extend Your Code into the Real World No-Tech [...]
Posted by Marcin on Sunday, April 8, 2007 in
Security.
ShmooCon 2007 videos are up. Check out http://www.shmoocon.org/2007/videos/.
Posted by Marcin on Friday, April 6, 2007 in
Security.
Andy IT Guy writes, "I think we need to focus on in not how to crack what is already broken but how can we protect what is using it. I'd love to see WEP go away but it won't happen anytime soon." Andy hits the nail right on the head with this one. A lot [...]
Posted by Marcin on Thursday, April 5, 2007 in
Security.
I asked a colleague once how to answer those silly questions, you know, the ones banks and other sites like to use to reset passwords? They're used to verify you are, who you say you "were." Well, my bank at the start of the year had introduced some [...]
Posted by Marcin on Wednesday, April 4, 2007 in
Intelligence,
Privacy and
Security.
Expanding on my previous blog post regarding export control and how it is defined, there are several other factors to take into consideration to help ensure compliance. Record Keeping All export records must be kept for five years after license [...]
Posted by Marcin on Wednesday, April 4, 2007 in
Defense and
Security.
ITT was fined $100 million for illegally exporting classified technical data relating to night vision equipment overseas. In addition to being fined, they must "invest $50 million over five years to accelerate development of night vision technology, and [...]
Posted by Marcin on Saturday, March 31, 2007 in
Defense,
Politics,
Security and
Tech.
I was watching an episode of It Takes a Thief on the Discovery Channel the other day that featured two skateboard shop owners. The hosts had scouted the shop a day before, looking for video cameras and other security equipment. The next day, they return [...]
Posted by Marcin on Friday, March 30, 2007 in
Security.
While at ShmooCon, I saw a fair share of rogue ap's pretending to be shmoocon ap's. We worked to pull down these access points, but you can never be sure. To help keep yourself from getting pwned, disable wireless upon startup by commenting out your [...]
Posted by Marcin on Sunday, March 25, 2007 in
Linux and
Security.
I wanted to ask Dan Kaminsky, who btw is a brilliant presenter (more below), about doing grammar and writing style analysis to determine who wrote a paper. I can see the techniques as potentially having forensic uses. Don't ask me what his talk was [...]
Posted by Marcin on Sunday, March 25, 2007 in
Intelligence and
Security.
We got our NOC up and running. Critical services have been set up for the most part, and we'll be doing some tuning today. Not new to us all, things don't always work the way you want, so that's what we're currently going through today. To anyone here at [...]
Posted by Marcin on Friday, March 23, 2007 in
Security.
Tonight I had a great time hanging out with Michael Santarcangelo of Security Catalyst, Andre Gironda, Erich Newell and Adam Muntner. There were a bunch of other guys (and Grace!) there, but I apologize for not remembering your names. It was fun talking [...]
Posted by Marcin on Tuesday, March 20, 2007 in
Security.
While chatting in #snort-gui today, somebody noticed Gizmodo was showing off their ticket to Apple NAB. You can see they blurred the Name, Company and barcode on the ticket. Whoever did this, did a poor job because they didn't blur the name on the [...]
Posted by Marcin on Tuesday, March 20, 2007 in
Privacy and
Security.
The OpenBSD IPv6 Remote DoS vulnerability has striked debate and strong reaction on whether denial-of-service is a security vulnerability or not. Let's go back to the fundamentals we all learned early on: C-I-A, Confidentiality, Integrity and [...]
Posted by Marcin on Sunday, March 18, 2007 in
Security.
Last night I attended my first Phoenix-OWASP meeting hosted at UAT. There were around 30 people in attendance from all backgrounds, including independent researchers, government agencies, private sector, and academia. Andre Gironda had a cool [...]
Posted by Marcin on Friday, March 9, 2007 in
Security.
The folks at nCircle Blog have posted a VERT Challenge, and hopefully more to come. You can check out the details at their blog, but I'll be posting my progress here and we'll see how far I can get before I either a.) give up, or b.) someone else gets [...]
Posted by Marcin on Wednesday, March 7, 2007 in
Security.
From the Owasp-phoenix mailing list: This month we have an exciting technical talk discussing the Same-Origin Policy and attacks that attempt to break/circumvent these controls by security researcher Andre Gironda. The details of this month's meeting are [...]
Posted by Marcin on Tuesday, March 6, 2007 in
Security.
The list of speakers and schedule for ShmooCon has been posted. A lot of interesting topics to check out, it's so hard to choose. My friend Ryan Clarke is speaking on "Extend your Code into the Real World," a look at electronics and hardware hacking. [...]
Posted by Marcin on Sunday, March 4, 2007 in
Security.
If you haven't heard, a keygen was released that brute-forced the correct CD key for Windows Vista. Martin McKeay did the math and let's just say, it'll take a really long time for anybody to brute force a key with available processing power we have [...]
Posted by Marcin on Sunday, March 4, 2007 in
Security and
Tech.
Look left when everyone looks right and say no when everyone says yes. Then, ask why? You're in the position as a security professional to tell the bosses no; that's what you're paid for. Don't be afraid to cry wolf when something is out of the ordinary, [...]
Posted by Marcin on Tuesday, February 27, 2007 in
Security.
Do tools make us dumber? I don't agree with the idea exactly, as they are just that, tools. Tools are just another level of abstraction from thinking at a lower level. It's what distinguishes an engineer from a kit builder. Who here wants to program in [...]
Posted by Marcin on Sunday, February 25, 2007 in
Intelligence,
Security and
Tech.
Hey Mike, thanks for posting your presentation (Building a Sustainable Security Career) you gave to ISSA-NH the other day. I found it interesting, since "your father's 6 fundamental assumptions about work" were the same I had for quite a while. You can [...]
Posted by Marcin on Wednesday, February 21, 2007 in
Security.
Several of us have been discussing in a thread at the Security Calayst Community Forums, and we all have differing opinions on what constitutes an "insider threat." In my opinion an insider threat is a party who has the capability and intention of [...]
Posted by Marcin on Wednesday, February 21, 2007 in
Security.
`SP 800-94 <http://csrc.nist.gov/publications/nistpubs/#sp800-94>`_, *Guide to Intrusion Detection and Prevention Systems (IDPS)*, seeks to assist organizations in understanding intrusion detection system and intrusion prevention system technologies and [...]
Posted by Marcin on Wednesday, February 21, 2007 in
Security.
Spam sucks. Why do spammers have to ruin every communication medium out there? Postal mail, email, popups, malware/spyware, and now comment spam. LonerVamp over at terminal23 has noticed an increase in spam on his blog as well. I had used Akismet to help [...]
Posted by Marcin on Thursday, February 15, 2007 in
Privacy and
Security.
It's out, Issue 1.10. Microsoft Windows Vista: significant security improvement? Review: GFI Endpoint Security 3 Interview with Edward Gibson, Chief Security Advisor at Microsoft UK Top 10 spyware of 2006 The spam problem and open source filtering [...]
Posted by Marcin on Wednesday, February 14, 2007 in
Security.
I'm heading out to Los Angelos for the 5th Annual Southern California Linux Expo. I'll try and post inbetween sessions (that is... whenever I can). I'll be attending these talks: Leveraging the IT Community (This talk is focused on a building a new broad [...]
Posted by Marcin on Friday, February 9, 2007 in
Linux,
Security and
Tech.
Pretty funny: http://www.youtube.com/watch?v=X4FF_aT_mE8
Posted by Marcin on Tuesday, February 6, 2007 in
Security and
Tech.
Linus released kernel v2.6.20 (tar.bz2) to the public today, adding virtualization support through KVM and relocatable kernel support for x86, among other changes. The latter feature is an interesting one from a security perspective and for kdump users. [...]
Posted by Marcin on Sunday, February 4, 2007 in
News,
Security and
Tech.
Hey everyone. Earlier today my hosting had expired and I had to migrate to new host. Update your bookmarks to account for the changes. The new URL address of my blog is www.tssci-security.com. Thankfully, most of you who subscribe via RSS shouldn't have [...]
Posted by Marcin on Saturday, February 3, 2007 in
Security.
RMogull called it, February is Month of No Bugs. L.M.H. signs off from Month of Apple Bugs... let's see who else will bother keeping up with the vulnerability a day, every day momentum.
Posted by Marcin on Friday, February 2, 2007 in
Security.
My staging servers cannot boot from CD-ROM, therefore I use a boot disk. For this reason alone, I have floppy drives in all my systems. I also save time by booting from floppy disk and installing operating systems over the network. A tip for anyone who's [...]
Posted by Marcin on Wednesday, January 31, 2007 in
Security and
Tech.
When contracted to perform a network security evaluation or penetration test, one of the most important stages is the pre-evaluation phase. During this phase, you develop contacts and gather information about the company. It's important to determine the [...]
Posted by Marcin on Tuesday, January 30, 2007 in
Security.
Literally right after RSA, SCALE is happening February 10th and 11th. I plan on making the drive out with several other friends from school. The presentations I'm looking forward to: New & Improved: How a More Modern IT Security Model Can Better Protect [...]
Posted by Marcin on Tuesday, January 30, 2007 in
News,
Security and
Tech.
Guy Kawasaki has a very interesting blog and today posted "The top 10 stupid ways to hinder market adoption." Supporting only Windows Internet Explorer. What Guy fails to mention, is having a website that's always available to its users. Supporting only [...]
Posted by Marcin on Monday, January 29, 2007 in
Security and
Tech.
I am not 100% positive or if this just merely coincidence, but I have a feeling my sister has fallen victim to the TJX security breach reported last week. Fraudulent transactions originating in France (of all places) began January 10th, comprosing four [...]
Posted by Marcin on Friday, January 26, 2007 in
News,
Privacy and
Security.
Part of any monitoring and intrusion detection strategy should include file integrity checking and regularly auditing programs capable of privilege escalation. These programs are often replaced or modified by intruders, creating processes or performing [...]
Posted by Marcin on Friday, January 26, 2007 in
Security.
My bank recently upgraded it's architecture and web site, adding more features and "improved security." After logging in, I am directed to a page greeting me asking to update my account information and "security challenge questions." The drop-down menu [...]
Posted by Marcin on Wednesday, January 24, 2007 in
Security.
I made this poster back a couple years ago, telling users to think before they click. It shows a mouse pointer and "Format C:\" button with a red circle and a slash through it. (edit: click here for the *nix version) If anyone has some other sayings for [...]
Posted by Marcin on Tuesday, January 23, 2007 in
Security.
My good friends over at Security Horizon have released the Winter 2007 issue of The Security Journal. Stories covered include: Fire up your Fox:a Browser Platform for Security Testing How I Cut Our Spam by 90% Risk Assessment with NIST SP 800-30 Book [...]
Posted by Marcin on Monday, January 22, 2007 in
Security.
F-Secure has a replay of their WorldMap from last night, 01/19/2007. It shows the spread of Storm-Worm Small.DAM, an e-mail worm and it's really, really cool. I want one! (not the worm of course, :P ) The video is also available on YouTube.
Posted by Marcin on Saturday, January 20, 2007 in
Security.
I was tired today.. maybe it was the material, or the fact that I had to break my college routine and wake up early in the morning... but I was beat. Regarding the IEM, the material could be a little better. Some of the tools that were mentioned are not [...]
Posted by Marcin on Thursday, January 18, 2007 in
School and
Security.
This semester, I am taking the IEM as part of a class that will be assigned to evaluate my university's network security. Last semester, I was a team leader in an IAM, an assessment of my school's organizational information security. The IAM is two full [...]
Posted by Marcin on Thursday, January 18, 2007 in
School and
Security.
Volume 6 of the Uninformed Journal is out. This issue contains the following: Engineering in Reverse Subverting PatchGuard Version 2 Locreate: An Anagram for Relocate Exploitation Technology Exploiting 802.11 Wireless Driver Vulnerabilities on Windows [...]
Posted by Marcin on Sunday, January 14, 2007 in
Security.
To anyone who has `register_global` turned on for PHP versions 4 thru 4.4.3,< 5.1.4, update your Wordpress; 2.0.7RC1 is available. The exploit takes advantage of code flaws in wp-trackback.php.... again, allowing a SQL injection admin hash disclosure. [...]
Posted by Marcin on Thursday, January 11, 2007 in
Security.
Today Congress will ask the President for an update on National Strategy for Pandemic Influenza. This reminded me of an article I read in the December 2006 issue (pp 36-43) of Information Security Magazine. One of the feature stories, Don't Wait for [...]
Posted by Marcin on Thursday, January 11, 2007 in
Security.
Thank you very much InformationWeek! I was reading an IW article, Adobe Patches Acrobat And Reader XSS Bug, 3 Other Flaws, hoping to get some useful information from it. The article contains 15 links, two of which are other IW articles and three direct [...]
Posted by Marcin on Wednesday, January 10, 2007 in
News and
Security.
I see Michael Farnum has responded to Terry Sweeney's blog post on Phishing your own users. I would just like to remind everyone that while intentions may be good, to remember the times people have tried this tactic with viruses. How many times did we [...]
Posted by Marcin on Monday, January 8, 2007 in
Security.
I came across this today, a Multiple Vendor PDF Document Catalog Handling Vulnerability over at MOAB. I was curious, so I decided to check it out and download the POC exploit code. The document failed to open on my Windows XP workstation using Foxit [...]
Posted by Marcin on Monday, January 8, 2007 in
Security.
I'm at the airport right now, after having gone through an extensive, supposedly random TSA security screening and came across this article at dheera.net. In summary, the article states blurring sensitive text in photos is a bad idea. The reason being, [...]
Posted by Marcin on Sunday, January 7, 2007 in
Security.
Michael (LV) over at terminal23 hits the nail right on the head with the latest articles and blog posts regarding full disclosure and responsible disclosure. I'd rather hear from the community about a new security vulnerability than wait for a vendor to [...]
Posted by Marcin on Friday, January 5, 2007 in
Security.
As some of you know, I should be (hopefully) graduating this August. I'll be taking a couple classes this summer to finish up the credits I need and finally graduate. I've been thinking more and more about some entry-level security certifications but am [...]
Posted by Marcin on Friday, January 5, 2007 in
Security.
With the recent vulnerabilities in Adobe Acrobat/Reader and reported exploits, I just want to point you all to a free, light-weight self-executable PDF reader for Windows: Foxit Reader 2.0. It's super fast for simple text PDFs, however it sometimes has [...]
Posted by Marcin on Thursday, January 4, 2007 in
Security.
I couldn't take it anymore, so I bit the bullet and bought a ticket to ShmooCon for $150. Next thing I need to arrange are hotel accommodations. Wardman Park Marriott is too expensive for us poor college students, so I'll be looking into getting a room [...]
Posted by Marcin on Tuesday, January 2, 2007 in
Security.
Happy New Year everyone! I had a great night with my friends and a lot of unneeded drama, but oh well. I'm disappointed I wasn't able to snag ShmooCon tickets for $75; they sold out in under three minutes! I'm still organizing a trip with several other [...]
Posted by Marcin on Monday, January 1, 2007 in
News,
School and
Security.
In response to Michael at mcwresearch and Michael (LV) at terminal23, I'm surprised there has been no middle-ground adoption that gives users ability to format text (colors, bold, italic, underline, bullets, etc), without the nastiness of HTML and [...]
Posted by Marcin on Friday, December 29, 2006 in
Security.
Who else besides me thinks "ThreatCon" levels are bullshit? (not to be confused with vulnerability alerts) After checking out Slashdot this morning, I came across CERTStation, which attempts to aggregate current threat information into one page, entirely [...]
Posted by Marcin on Thursday, December 28, 2006 in
Intelligence and
Security.
Alright, I just have to respond to this opinion regarding Social network users have ruined their privacy, forever. Just about anyone can read what's posted onto social networking websites like MySpace and FaceBook. 'Anyone' includes the intended audience [...]
Posted by Marcin on Wednesday, December 27, 2006 in
Security.
Following everyone else and their "Security Predictions of 2007," I have some predictions of my own: I will be graduating in August with a Bachelor's Degree I will be looking for an entry-level position in security These are two predictions that I am [...]
Posted by Marcin on Saturday, December 23, 2006 in
School and
Security.
For those who know me personally, will know I have barely any time for games. I always say that us network security geeks shouldn't be playing games, leave that to the smelly game design kids (j/k with ya guys). Well, here are a couple games I do approve [...]
Posted by Marcin on Saturday, December 23, 2006 in
Security.
I've noticed a lot of discussion around news(some new, some old) articles this week related to "increased insider threats". To quote my own Slashdot post: "Viktor Cherkashin, a former KGB officer states in his book Spy Handler, people most often commit [...]
Posted by Marcin on Friday, December 8, 2006 in
Links and
Security.
From the nmap-dev mailing list: From: Fyodor <fyodor_at_insecure.org> Date: Thu, 7 Dec 2006 20:19:00 -0800 Hi Everyone, I just posted the binaries for 4.20! Woohoo! This is the first "stable" release in almost 6 months, and contains tons of important [...]
Posted by Marcin on Friday, December 8, 2006 in
Links and
Security.
Get right down to it! F-Secure has posted this letter asking domain registrars to double-check the names people register for domains to help combat phishing. The example they give is just one of many that go wild: Like, say, somebody trying to register a [...]
Posted by Marcin on Tuesday, December 5, 2006 in
Links and
Security.
I've been seeing stories about the Nike+Ipod sport kit and how researchers have come up with a way to track people wearing them. This is nothing new, people have been able to do this for quite some time, called SIGINT (signals intelligence). You've been [...]
Posted by Marcin on Saturday, December 2, 2006 in
Security.
Alan Shimel of StillSecure created the Security Bloggers Network, a network of feeds with content relating to security. Check it out, it's a great way to see what other security pros, analysts, vendors, and anyone else in the industry is blogging about.
Posted by Marcin on Thursday, November 30, 2006 in
Links and
Security.
A new release of the (IN)Secure magazine is out. Version 1.9 - December 2006 [pdf]. Some highlights from this month's issue: Effectiveness of security by admonition: a case study of security warnings in a web browser setting Interview with Kurt Sauer, [...]
Posted by Marcin on Tuesday, November 28, 2006 in
Security.
China's at it again, this time having obtained information on secret technology used on the B-2 stealth bomber's engines. The data will now allow China to copy or counter weapons using the technology. Details of the classified defense technology related [...]
Posted by Marcin on Friday, November 24, 2006 in
Security.
You're on the go, at the airport, at a coffee shop, whatever. You need to check your email or login to your bank account to make sure you have sufficient funds(I'd recommend against it, but people do it anyways). You sit down at a public internet [...]
Posted by Marcin on Friday, November 24, 2006 in
Security.
Alex Rice of Websense Security Labs, dissected "Web-Attacker", one of the most popular exploit kits on the web. He recently got a hold of the source code and takes us step by step through it all. For those who do not know how Web-Attacker works, here's a [...]
Posted by Marcin on Saturday, November 11, 2006 in
Security.
Roger at InfoWorld has been running a password-cracking contest for some time now and just recently received the first correct cracks at his first password: a 10-character password with normal complexity. The other two that have still yet to be cracked, [...]
Posted by Marcin on Friday, November 10, 2006 in
Security.
NIST has released SP800-100, Information Security Handbook: A Guide for Managers. I'm sure it'd benefit everyone in the security community, since you either are or one day will be a manager (or at least help make managers make more informed decisions). [...]
Posted by Marcin on Friday, November 10, 2006 in
Security.
The U.S. intelligence community recently unveiled Intellipedia, a top-secret wiki available to sixteen various agencies to share information and resources better. You can catch more on the story at GCN, Infowars, and a blog dedicated to Intellipedia! My [...]
Posted by Marcin on Thursday, November 2, 2006 in
Intelligence and
Security.
With all the problems and flaws in electronic voting machines being exposed over the past couple months, I'd like to know why there hasn't been any effort in designing a new voting system from scratch. What does an electronic voting machine need to be [...]
Posted by Marcin on Monday, October 30, 2006 in
Links,
Security and
Tech.
By now most of you have heard about how easy it is to hack a Diebold machine, and the blatent security flaws, such as not utilizing encryption or password protection. Well, HBO will be airing "Hacking Democracy" a documentary that exposes the [...]
Posted by Marcin on Monday, October 16, 2006 in
Security.
The Shmoo Group is soliciting papers and presentations for the third annual ShmooCon. ShmooCon 2007 has 4 options for speaker submission.: One Track Mind - Technical Tales in Twenty Minutes or Less Break It! - Technology Exploitation Build It! - [...]
Posted by Marcin on Friday, October 13, 2006 in
Links and
Security.
I've been getting some requests for what to look for when doing the on-site portion of an INFOSEC assessment, and put together a checklist derived from the 18 baseline classes and categories the NSA has specified. You can add/remove to this list as you [...]
Posted by Marcin on Thursday, October 12, 2006 in
Security.
I've been following a discussion regarding backdooring PDF files on the full-disclosure mailing list originally posted by David Kierznowski and on eWeek. At his site, he discusses two techniques for exploiting Adobe Acrobat Reader and Professional. [...]
Posted by Marcin on Saturday, September 16, 2006 in
Security.
It's been a couple days since I attended day two of the IAM training, but I've been a little busy taking that information and preparing for our class' assessment of the school. On day two, we went over modules 3 and 4 (available at the IATRP website, for [...]
Posted by Marcin on Friday, September 15, 2006 in
School and
Security.
The IAM training has been going pretty well, even though it was just the first day. Today, the class went over the intital contact and pre-assessment phases. We defined the mission of our example organization (our customer) and identified points of [...]
Posted by Marcin on Wednesday, September 13, 2006 in
School and
Security.
This Tuesday and Wednesday I'll be attending a training session (held at my school) on the NSA's Infosec Assessment Methodology taught by Russ Rogers and Greg Miles of Security Horizon. The IAM is a vunerability assessment of an organization's security [...]
Posted by Marcin on Sunday, September 10, 2006 in
School and
Security.
I'm enthused to hear Ross Anderson has made his book, Security Engineering available online and FREE to download. He explains his reasoning at his website; to reach the widest possible audience, especially among poor students and being a supporter of [...]
Posted by Marcin on Tuesday, August 29, 2006 in
Books and
Security.
Here's a cool article [engadget], from the lockpicking event at DEFCON14 in Las Vegas. The author goes into some detail as to what the components of a lock are and how they work together. Also described is the history of "bumping" locks (as the 11 [...]
Posted by Marcin on Friday, August 25, 2006 in
Security.
No... not the International Space Station (for you Slashdotters...) ARMONK, NY & ATLANTA - 23 Aug 2006: IBM (NYSE: IBM) and Internet Security Systems, Inc. (NASDAQ: ISSX) today announced the two companies have entered into a definitive agreement for IBM [...]
Posted by Marcin on Thursday, August 24, 2006 in
Links,
News and
Security.
`Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks <http://lcamtuf.coredump.cx/silence.shtml>`_ By MichaĆ Zalewski I am a student studying information security and I've read many books lately on the subject. Silence on the [...]
Posted by Marcin on Wednesday, August 23, 2006 in
Books and
Security.
