2007
Probably the best book dedication i have ever seen….
Richard Bejtlich didnt give the pre-release a glowing review but i know at least a few people waiting eagerly to get their hands on the new “Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene, and Pedram Amini“. Pedram is the mastermind behind Pai-Mei and started OpenRCE, but his last blog post points to the books dedication page, and it probably makes the book worth buying all on its own..
outstanding…
In Defense of Testing Pens… (aka how to keep your soul while being a pen-tester)
A short while back, a discussion broke out on a mailing list about the nature of being a pen-tester. The discussion quickly gravitated towards the number of “security” companies where numbers of projects far out-weigh the interestingness of projects, leading rapidly to a cookie-cutter mentality to pen-test engagements..
Of course if you have spent any time in the industry, you already know this to be true.. the obvious danger with this is that you have a lot of unhappy pen-testers giving shoddy output to (eventually) very unhappy customers. Sadly this soon follows the well published “market for lemons” problem where eventually due to information asymmetry, bad products will soon push out good ones.. i.e. because its hard for customers to tell the difference between good pen-tests and lame pen-tests, eventually the market price drops towards low grade pen-tests (since the customer is paying for what they expect) and at the low prices, good pen-test teams will close shop and move on to other lines of work..
SensePost Training at Black Hat Las Vegas
The Black Hat Briefings is arguably the most significant technical
security conference in the world. It takes every year in Las Vegas
and also includes a series of diverse technical training courses. For
the sixth time this year SensePost will be presenting a series of
courses from our ‘Hacking By Numbers’ range at the briefings. There
are a number of courses catered for most levels of technical
experience, starting with ‘Cadet Edition’ for novices and ending with
‘Combat’ for expert level hackers.
On vulnerability, root cause, white-listing and compliance
Many years ago, when we first released ‘Setiri’ one of the controls
that we preached was website white-listing. As talk-back trojans
would connect back to arbitrary web servers on the Internet, we
argued that companies should create shortlists of the sites employees
are allowed to visit. This, we argued, was much more feasible than
trying to identify and block known ‘bad’ sites. Of course, there are
a number of other compelling reasons for implementing this kind of
white-listing, and of course nobody does it (even though I’ve seen
fairly good technical implementations of this concept).
and then there was one….
First IBM announced their interest in Watchfire, and now HP announces their interest in SPI Dynamics. “Consolidation in the industry” is one of those horrible phrases that are always bandied about because it makes people seem analytical and fore-casty, but i think its pretty clear that there are stirrings in buyout land right now.. I guess it bodes well for WhiteHatSec and similar folks.. they surely have to be on the radar..
Talking of buyouts, its always been strange for me that CORE have managed to go by as long as they have without being purchased. Their technical roots being in Argentina might have explained it for a little while, but a whole bunch of years later.. i dont get it.. (Having said that, i must add the caveat that i am talking completely through my ear since im pretty sure they would have been approached often enough and could simply have been rejecting offers waiting for the right match..)
Shuttleworth comments on Microsoft/Ubuntu deal rumours
Mark Shuttleworth on his blog makes it clear
-snip-
“We have declined to discuss any agreement with Microsoft under the threat of unspecified patent infringements.”
…
I have no objections to working with Microsoft in ways that further the cause of free software, and I donâ€t rule out any collaboration with them, in the event that they adopt a position of constructive engagement with the free software community.
…
All the deals announced so far strike me as “trinkets in exchange for air kissesâ€. Mua mua. No thanks.
-snip-
Viva Las Vegas!
BlackHat Vegas is almost on us again, and this will be the 6th year running that we present there.. This year Marco and i will be taking a new look at some old attacks.. The bulk of the talk will focus (like its name suggests) on timing attacks, but we will be looking in general at timing, race conditions and other attacks that have not yet been packaged into tools and so are not yet prone to the type of over-fishing we have found with fuzzable bugs..
CSI Corporate Threat Modeling Talk
Whew. After much last-minute war with PPT C# and ORM our slides and
Beta 1.0 of our tool are available on our research site. I think the slides are pretty neat,
and I’m *very* excited about the tool, but unfortunately we didn’t
get as far with the latter as we’d hoped to. Still, it illustrates
the concept pretty nicely and its built pretty solid (thanks James)
so it should grow quickly from here.
Safari on Win32, and browser choices in general..
Gareth linked to David Maynor’s blog where he documents the results of some simple fuzzing against the new Win32 port of Safari. Of course fanboys everywhere are going to be on this one like, erm.. like a thing that is very onto another thing.. but.. i digress..
2 things are interesting in all this for me though..
Why Apple chose now to do the win32 safari release Why anyone in security uses Safari anyway? Most people postulate that the Win32 Safari release is tied to the release of the iPhone. Since 3rd party developers cant build for the iPhone yet, it would seem that web-apps running on iPhone Safari would be the way to go for now.. if you are pushing the browser they need better adoption.. its a reasonable enough theory and i cant imagine its because apple actually want to launch a serious attack against IE/Mozilla on non Apple desktops
More Pentagon data leakage through Office files..
R J Hillhouse (who has a fascinating background) found that when she double clicked a graph on a slide deck belonging to the office of national intelligence (available from the DIA website), the linked spreadsheet popped up..
This effectively revealed “the dollar amounts in tens of millions spent by the US Intelligence Community on contractors”.
Aages ago lcamtuf highlighted info leakage through MS Office files, and it seems these days lots of folks are making lots of money selling blackbox, i will prevent data leakage in your organization type kit.. i haven’t looked in depth at too many of them but have to wonder how many of them would have caught the embedded spreadsheet at all..