Haroon Meer
and then there was one….
First IBM announced their interest in Watchfire, and now HP announces their interest in SPI Dynamics. “Consolidation in the industry” is one of those horrible phrases that are always bandied about because it makes people seem analytical and fore-casty, but i think its pretty clear that there are stirrings in buyout land right now.. I guess it bodes well for WhiteHatSec and similar folks.. they surely have to be on the radar..
Talking of buyouts, its always been strange for me that CORE have managed to go by as long as they have without being purchased. Their technical roots being in Argentina might have explained it for a little while, but a whole bunch of years later.. i dont get it.. (Having said that, i must add the caveat that i am talking completely through my ear since im pretty sure they would have been approached often enough and could simply have been rejecting offers waiting for the right match..)
Shuttleworth comments on Microsoft/Ubuntu deal rumours
Mark Shuttleworth on his blog makes it clear
-snip-
“We have declined to discuss any agreement with Microsoft under the threat of unspecified patent infringements.”
…
I have no objections to working with Microsoft in ways that further the cause of free software, and I donâ€t rule out any collaboration with them, in the event that they adopt a position of constructive engagement with the free software community.
…
All the deals announced so far strike me as “trinkets in exchange for air kissesâ€. Mua mua. No thanks.
-snip-
Viva Las Vegas!
BlackHat Vegas is almost on us again, and this will be the 6th year running that we present there.. This year Marco and i will be taking a new look at some old attacks.. The bulk of the talk will focus (like its name suggests) on timing attacks, but we will be looking in general at timing, race conditions and other attacks that have not yet been packaged into tools and so are not yet prone to the type of over-fishing we have found with fuzzable bugs..
Safari on Win32, and browser choices in general..
Gareth linked to David Maynor’s blog where he documents the results of some simple fuzzing against the new Win32 port of Safari. Of course fanboys everywhere are going to be on this one like, erm.. like a thing that is very onto another thing.. but.. i digress..
2 things are interesting in all this for me though..
Why Apple chose now to do the win32 safari release Why anyone in security uses Safari anyway? Most people postulate that the Win32 Safari release is tied to the release of the iPhone. Since 3rd party developers cant build for the iPhone yet, it would seem that web-apps running on iPhone Safari would be the way to go for now.. if you are pushing the browser they need better adoption.. its a reasonable enough theory and i cant imagine its because apple actually want to launch a serious attack against IE/Mozilla on non Apple desktops
More Pentagon data leakage through Office files..
R J Hillhouse (who has a fascinating background) found that when she double clicked a graph on a slide deck belonging to the office of national intelligence (available from the DIA website), the linked spreadsheet popped up..
This effectively revealed “the dollar amounts in tens of millions spent by the US Intelligence Community on contractors”.
Aages ago lcamtuf highlighted info leakage through MS Office files, and it seems these days lots of folks are making lots of money selling blackbox, i will prevent data leakage in your organization type kit.. i haven’t looked in depth at too many of them but have to wonder how many of them would have caught the embedded spreadsheet at all..
VMware for OSX (Fusion) – Beta 4
VMware have just released beta4 of its Fusion product for OSX.
The initial beta was hard to justify and a little flaky, which allowed Parallels to take an early lead. We still have people in the office who swear by parallels.. But.. in my book VMware has just been such a life saver since we first started making heavy use of it (about 6 years ago) that i figured it was worth sticking it out..
Re: Jeremiah Grossmans “How to find your websites”
Jeremiah from WhiteHatSec has just written a quick piece on how to find your websites. Now Footprinting is obviously dear to our hearts, with 3 Blackhat talks on it (or applications of it) (“Automation – Deus ex Machina or Rube Goldberg Machine?“, “Putting The Tea Back Into CyberTerrorism“, “The Role of Non Obvious Relationships in the Foot Printing Process“), a commercial tool almost dedicated to it, and a full blown chapter on it in Open Source Penetration Testing by charl and gareth. Footprinting is a genuinely important part of a companies security assessment, cause it doesn’t matter if they have multi-layer firewalls and WAF’s protecting the web app on their www.company.com, and an old barely used sql-injectable form on their community.company.com site that lets you grab SA on their SQL server anyway..
(Now that the shameless self promotion is over..) i wanted to touch on an interesting aspect of webserver discovery that is often skipped, and thats the issue of multiple websites running as name based virtual hosts on the same web-server. There was a time (not so long ago) when all of the popular scanning tools, failed to take into account that scanning 209.61.188.39 was not the same as scanning www.sensepost.com (or hackrack.sensepost.com which happens to be on the same ip address).
Second Life land grab case moves into U.S federal courts..
Ars Technica is reporting on the law suit filed in 2006 by Martin Bragg who accused Linden labs of wrongfully seizing his virtual land.
-snip-
Linden Lab filed two motions to dismiss the suit, arguing that Bragg came into possession of his land wrongfully, but the Pennsylvania judge denied those motions.
-snip-
A few things about this are super interesting..
Linden Labs (creators of Second Life) literally sells online assets for real world money.. Martin Bragg (from accounts read) found that by simply adjusting his HTTP GET parameters was able to bid on not yet opened auctions.(1) Bragg apparently invested thousands planning to buy low and sell high We have just started to consider the attack possibilities and where this is going but again, i suspect fun times are ahead (2)..
Web Mashups point and click style (open invite for Sammy v2.0) ?
[Yahoo pipes] looks like an awesome way for even non-programmers to create web mashups trivially. Aside from the fact that its interface is super-cool, it brings an interesting dimension to next gen web attacks. (Google Video on Pipes by Pipes developers).
pdp has already covered pipes in his OWASP talk where he used it to re-write a jikto equiv. in almost-0 lines of code, along with a tinyurl filesystem. pdp also mentions Dapper, which i have not checked out till now, but looks like fun waiting to happen too..
In all the services look leet, and look like a cool way to get “unification” going for browser attacks*. Check them out, the possibilities for evil’ness should start running through your head from click 1.
Windows filesharing on OSX still vulnerable…
Aaron Adams over at SYMANTEC, did a quick check on the version of Samba running on currently up to date OSX machines and found that the Macs were still running 3.0.10. He did a quick mod on the existing Metasploit module and has reliable code execution going..
If you are running OSX, you probably want to make sure your samba isnt exposed while you grab the latest source and build..
/mh