Research
Playing with Python Pickle #1
In our recent memcached investigations (a blog post is still in the wings) we came across numerous caches storing serialized data. The caches were not homogenous and so the data was quite varied: Java objects, ActiveRecord objects from RoR, JSON, pre-rendered HTML, .Net serialized objects and serialized Python objects. Serialized objects can be useful to an attacker from a number of standpoints: such objects could expose data where naive developers…
Analysis of a UDP worm
From time to time I like to delve into malware analysis as a pastime and post interesting examples, and recently we received a malware sample that had a low-detection rate. Anti-Virus coverage was 15/43 (35.7%) based on a virustotal.com report and Norman sandbox did not detect any suspicious activity as shown in the report below: Norman sandbox report did not show any registry or network activity. This might be due to the…
Information Security South Africa (ISSA) 2010
Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click through to SlideShare for the original PDF.) The talk is an introductory overview of Privacy from a Security perspective and was prompted by discussions between security & privacy people along the line of “Isn’t Privacy just directed Security? Privacy is to private info what PCI is to card info?” It…
Memcached talk update
Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days. The attention is quite astounding given the relative lack of technical sexiness to this; explanations for the interest are welcome! We wanted to highlight a few points that didn’t make the slides but were mentioned in the talk: Bit.ly and GoWalla repaired the flaws extremely quickly, prior to the talk.…
BlackHat Write-up: go-derper and mining memcaches
[Update: Disclosure and other points discussed in a little more detail here.] At BlackHat USA last year we spoke about attacking cloud systems, while the thinking was broadly applicable, we focused on specific providers (overview). This year, we continued in the same vein except we focused on a particular piece of software used in numerous large-scale application including many cloud services. In the realm of “software that enables cloud services”,…
SensePost Corporate Threat(Risk) Modeler
Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle behind the tool, first released in 2007 at CSI NetSec, was to throw out existing threat modeling techniques (it’s really attack-focused risk) and start from scratch. It’s a good idea and the SensePost approach fits nicely between the heavily formalised models like Octave and the quick-n-dirty’s like attack trees. It…
Password Strength Checker & Generator
In my previous role working as a security manager for a large retailer, I developed some password tools for various purposes, primarily to help non-security people with some of the basics. I licensed them under the GPL, and I think it’s about time they saw the light of day. There are a couple of tools, which I will explain below. They’re all written in JavaScript, primarily because it is cross-platform,…
GlypeAhead: Portscanning through PHP Glype proxies
As the need for online anonymity / privacy grew, the proxy industry flourished with many proxy owners generating passive incomes from their proxy networks. Although ‘proxy’ is normally thought to imply some sort of daemonized application, such as Squid (or a SOCKS) daemon, the last couple of years have heralded in the age of CGI proxies and more commonly, their PHP variants. These PHP proxies are extremely trivial to deploy…
Defcon-17 – Clobbering the Cloud
Our DC-17 video (of the “Clobbering the Cloud” talk) is now available on the the new look DefCon download site: [here] All of the other DC17 videos can be found [here] (if you are a senseposter, you can grab them with descriptions from [here])
MS Threat Modeller
Just arbitrary coolness regarding Microsoft’s Threat Modeller. It’s XSS-ible… Since this all works in file:///, not overly sure what the benefits of these things will be, but I suppose since different folks may have different privilege levels for different protocol handlers (ie: file:// http:// etc), one might be able to instantiate previously unusable OCX’es, or even redirect to site for exploiting browser vulnerabilities. Never happened unless there are pictures, so refer…