2008
Very decent Security Podcast..
I am probably one of the last ppl around to discover this, but ill post it here for the (probably) 2 other ppl in the world who have yet to stumble upon: Risky Business. Its pretty hard to find good quality security podcasts without some pretty sad signal to noise ratios (or adverts on spinwrite) but risky business is def. a keeper.. i downloaded a few older episodes to help…
rethinking ye old truths
since forever, i’ve been told (and told others) that the greatest threat is from the inside. turns out, not so much. verizon business (usa) apparently conducted a four year study on incidents inside their organisation and found that the vast majority, 73%, originated from outside. however, the majority of breaches occurred as a result of errors in internal behaviour such as misconfigs, missing patches etc. (62% of cases). So attackers…
Carpet Bombing and eating Crow…
The recent Safari Carpet Bombing bug reported by Nitesh Dhanjani and ignored by Apple had all the makings of an egg-on-face incident. We were discussing it over foosball, and the obvious consensus was “if a line starts with: “thats not exploitable, its only..” then odds are you are wrong..” But.. lots of people quicker and smarter than me [1, 2, 3] blogged (or twittered) about why this was a silly…
This has nothing to do with anything technical..
but since it made me eat crow, i figured i would share it.. Although i read a fair bit, i stopped really reading fiction many many moons ago. Its something i often feel ill try to get back into when im a little older with more time (like playing golf), but right now it somehow always feels like fiction pieces give off less real information than their non-fiction counterparts.. To…
DefCon 16 – Hmm.. 2 of these talks seem familiar…
Some of the DC16 speaker summaries have been posted, and these 2 caught my eye: and Both descriptions seem pretty much spot on with what we did in our DefCon talk last year.. hmm.. wonder if its new twists on it, or a little more of the same? /mh
ActiveX Repurposing.. (aka: Other bugs your static analyzer will never find..) (aka 0day^H^H 485day bug!)
Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because of the ridiculously high hit rate we have whenever we look at controls with a slight security bent.. When building the presentation i dug up an old advisory we never publicly released (obviously we reported it to the vendor who (kinda) promptly fixed the bug (without giving us any credit…
If you run Debian (or a Debian Derivative, like Ubuntu)…
Then you probably should get on this one… [Problems with Random Number Generator] While it looks like an arb openssl bug, 2 seconds of reading should get you to: -snip- It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. && Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for…
Should I stay or should I Gobi? Your support needed!
Hello All, Some of you might remember that I climbed Mount Kilimanjaro two years ago. What you might not know is the REASON I did this (apart from the jol) was to o raise funds for CNCF, a Foundation that is a true oasis and a refuge to the street children of Vietnam and Mongolia. CNCF – The Christina Noble Children’s Foundation is an International Partnership of people dedicated to…
Phrack is dead.. long live Phrack ??
Uninformed has certainly done awesomely at filling in the gap left when phrack went silent, but there is something nostalgic about reading phrack… it seems like issue 65 has just hit the streets..
Its my SensePostaversary!
Whoa! time flies when you having fun… (click for orig.)