2009
BlackHat presentation demo vids: SalesForce Sifto
[part 3 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] Our third video write-up covers abuse of cloud services. By signing up for free accounts, it is possible to gain access to small amounts of free resources, specifically processing time and bandwidth. However these resources are tightly controlled to maintain fairness across the many thousands of users who share the same platform. We aim…
BlackHat presentation demo vids: SalesForce ClickJacking
[part 2 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] The premise behind this video was that while we are migrating more and more services into the cloud, the front-end through which the services are accessed as well as managed is (in many cases) a web application and we still have not figured out how to write secure web applications reliably. The implication is…
BlackHat presentation demo vids: SugarSync
[part 1 in a series of 5 video write-ups from our BlackHat 09 talk, summary here] We wanted to demonstrate how access to cloud resources can bring certain attack classes within reach of regular users. Instead of focusing on brute-forcing regular user credentials such as usernames and passwords, we decided to look at less noisy options since failed logins would typically be a closely watched metric. To this end, different…
BlackHat presentation demo vids: Summary
Our BH09/DC17 presentation relied heavily on videos for the demos, and they’ve been blogged separately. Links below (will be made active once the upload is complete): [slides] [SugarSync] [SalesForce Clickjack] [SalesForce Sifto] [Amazon Web Services] [MobileME]
Clobbering the cloud slides
[updated: videos will be made available on this page] 140 slides in 75 minutes. They said it couldn’t be done… and they were right! (mostly) Regardless, our Vegas trip was as much fun as previous years and our presentations at BlackHat and DEFCON went down well from the looks of things. While we plan on writing up the interesting parts, a number of people have requested access to the slidedeck…
Wishlist for graduates
We were invited to speak at the recent ISSA2009 conference in Joburg, a local mostly academic security conference and I decided to carry a message in addition to the regular demo-style talk with which we try to entertain. By co-incidence, Haroon also had his peer-reviewed talk on Apple Exploitation Defences accepted so there were two SensePosters talking to the tweed jackets. I figured the most important bit of the presentation…
Watch out Amazon…
’cause theres some serious cloud computing competition on the horizon.. A google search for Cloud Provider returns the following paid ads.. Now i know conventional logic says its a bad idea to judge a book by its cover, but..
Apple vs Microsoft as a malware target.. stop saying market share..
I really enjoy listening to Mac Break Weekly.. Leo Laporte is an excellent host and i would tune in just to hear [Andy Ihnatko’s] take on the industry and the (possible) motivations behind certain players moves. (he is sometimes wrong, but always worth listening to). The only time the things ever get a little cringe-worthy is when talk switches to malware and security (although both Andy and Leo for the most…
Excellent paper from MSFT Research on inline proxies vs. SSL
Ron Auger sent an email to the [WASC Mail list] on some fine work presented recently by Microsoft Research. The paper (and accompanying PPT), titled [Pretty-Bad-Proxy: An Overlooked Adversary in Browsers’ HTTPS Deployments] is pretty cool and shows several techniques for a malicious inline proxy to sniff SSL sessions passing through the proxy. Its genuinely a bunch of cool findings and has been handled neatly (with the exception of some…
Two quick links on “how your app got hacked, even though it looked ok”
The first one from hacker news, aptly titled “How I Hacked Hacker News (with arc security advisory)” and the 2nd, a welcome-back-to-the-blogosphere-tptacek post on the matasano blog: [Typing The Letters A-E-S Into Your Code? You’re Doing It Wrong!] /mh PS. for those going, man i wish someone would break down the important crypto stuff for me in a way thats understandable without being patronizing, there is Chris Eng and his…