Analyzing Flash Files

A friend told me about this, so I thought I'd share....

xxxswf.py is a Python script for carving, scanning, compressing, decompressing and analyzing Flash SWF files. The script can be used on an individual SWF, single SWF or multiple SWFs embedded in a file stream or all files in a directory. The tool could be useful for system admistrators, incident response, exploit analyst, malware analyst or web developers.

http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html

Australian DSD Strategies to Mitigate Targetted Attacks

The annual Blackhat/Defcon cyber security conferences took place last week in Las Vegas, NV. There were more vendors than ever, however the underlying theme of the conference remained the same...understanding/defending/preventing targetted cyber intrusions (a.k.a. APT).

Vendors certainly have their place when it comes to the cyber war against protecting your information, but it is important to understand that there is no silver bullet. Below you will find a very informative (arguably conclusive) list of mitigations (most of which don't require additional hardware/software) to defend against targeted cyber intrustions.

Australian DSD Strategies to Mitigate Targetted Attacks
 

Linux Password Protect Zips

Those of us who work around malware often need to password protect malware specimen within a zip archive in order to avoid accidental infection and/or antivirus quarantine. I can never remember the syntax for doing this from the Linux command line and it always seems hard to find via google, so I thought I would document it here.

To Zip: zip -P <password> -r <output.zip> <input file(s)>

To Unzip: unzip <output.zip>

Northrup Grumman...Another one bites the dust!

A Northrop Grumman E-2C Hawkeye 2000 surveillance and reconnaisance plane lands on a carrier.

In a story recently released by Fox (http://www.foxnews.com/scitech/2011/05/31/northrop-grumman-hit-cyber-attack-source-says/) we see that Northrup Grumman was also compromised via remote access. We can chalk this up to yet another compromise as a result of the intrusion at RSA where the secret sauce was stolen. I wonder if any of these companies are going to go after EMC/RSA for damages?

The article is fairly vague (surprise), but it looks as though the "bad guys" were able to get in. That is unless somebody just accidentally tripped over the cable for the remote access network.

Hackers breached U.S. defense contractors (Reuters)

(Reuters) - "Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N) and several other U.S. military contractors, a source with direct knowledge of the attacks told Reuters. "

"They breached security systems designed to keep out intruders by creating duplicates to "SecurID" electronic keys from EMC Corp's (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter." Reuters

Here's another link to a similar story from the Taipei Times

Remove Character From Bash Variable

 Sometimes, it is the little things that take an extra few minutes to find on the Internet that really slow you down...

Remove the first character from a bash variable:

VAR=${VAR#?}

Remove the last character from a bash variable

VAR=${VAR%?}

Rename Perl script on the Mac

I love Linux and BSD. I also love my Mac. I really like the user interface, and the underlying BSD roots. (Insert generic Mac fan-pitch)

There are a few things which drive me NUTS about the BSD underpinnings of the Mac, though. MacPorts is a great step in the direction of bringing better Linux/BSD program onto the Mac platform, but it doesn't always have everything you need (And it's pretty slow). The most recent annoyance is the lack of the 'rename' linux command, my favorite of which enables me to bulk rename files based on a regular expression. Yes, I could hack together an awk or bash script to do this each time, but (like Matt), I like simpler == better.

So, when I ran into this issue yesterday, I decided I had enough. It turns out that the rename linux command that I like (based on regular expressions, not some other more simplistic syntax shipped with Redhat) is just a perl script.

So, I found the script on one of my Ubuntu servers (prename), slapped it into /usr/local/bin, and away I went. Much easier than some other custom compiling Mac solutions.

Android and the long-lived authToken

I was very disappointed to hear about Android sending long lived (~2 weeks) auth tokens in the clear for Google services...very similar to the Facebook/Firesheep issue. There are a few writeups, but the research was originally done by Ulm University (http://www.uni-ulm.de/en/in/mi/staff/koenings/catching-authtokens.html).

This specific vulnerability is addressable by server-side changes to enforce SSL when exchanging the tokens. I'm glad to hear that Google is moving forward on fixing this side of things. People are also saying it's only exploitable via WiFi, but I wouldn't be surprised to hear some type of 3G snooping as well.

BUT, this brings up major concerns that the Operating System versions for Android are so fractured, and ultimately are controlled by the wireless providers. Even though the latest version of Android don't exhibit this behavior, the mobile phone companies continue to drag their feet pushing the updates. This is akin to vendors which only support IE6...they drag their feet because they can. I think larger customers need to push back that we need prompt patching (or the ability to self-update!)

Splunk For Dummies

Splunk can be instrumental when it comes to aggregating and correlating data. However, like any tool there is a learning curve involved. Migrating away from Linux command line tools and learning something new when you're already pressed for time can slow the learning process. I've included a tidbit below that will help you get your data into splunk as quickly as possible.

Use the Sinkhole:
/opt/splunk/var/spool/splunk

Any data you move to this directory will be indexed by splunk and the original log files deleted. No modifying a GUI or adding a listener. Simply getting the data in splunk so that it can be searched quickly. Enjoy!

Chrome Falls, Maybe

VUPEN's recent announcement about a possible Chrome flaw has to make everyone say - HEY! Where's the Beef? In a video. Lame. Give us PoC code or keep your mouth shut. I understand security research and selling discoveries. I don't understand selling them and then bragging about your discovery with half-assed details and a video. Sell and shut the hell up to allow your customers to get the full value for their cash. I'd be rather miffed if I were your customer _and had intent_ to use the vulnerability. Responsible disclosure is always an option...

The claim in the advisory:

... we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP.

Good find VUPEN! Gratz on taking down Big G's Chrome! Your advisory looks like a Jedi Mindtrick though - "We have the vulnerability you're looking for". Again, I ask you "Where's the Beef, good sirs?" And while you're at it, please explain your intent behind disclosing without Proof of Concept code and lack of vendor contact.

Interesting Bredo Phish..

Sending MTA: 183.7.110.61, Wed,  4 May 2011 08:31:43 +0000 (UTC)
From: FBI <info87644@fbi.gov> (not real, duuh)
Subject: You visit illegal websites
Body: Sir/Madam,we have logged your IP-address on more than 40 illegal Websites. Important: Please answer our questions!The list of questions are attached. pj  aom  vf
Guess what's attached... Document.zip (9a2bb7c1cfd069e4db5e7d46dadce561) containing document.exe (bd3648a60c4c4760db19bba544c2e8d2)


I found this one interesting because most messages attempting to spread a Bredo variant have been something regarding undeliverable UPS, DHL, or FedEx packages, or your credit card was just billed $700.. Now, you get notified that the FBI wants you to fill out a survey to explain your web browsing habits. Nice change of pace. :)

So sad that this works still.

The Cyber Security Conundrum

Ever wonder why cyber security is so hard?
Ever wonder why we deserve more money, resources, etc.?

The graphic above (borrowed) is a simple representation of why defending a network is so much more difficult than penetrating it. Yea I said it, (rebuttals are welcome)! Above we graphically demonstrate the massive landscape within cyber security. The volume of things we support, run, maintain and analyze within a cyber security program on a daily basis is extraordinary. As the capability stack continues to grow (i.e. Data Loss Prevention, Phishing Excercises, <enter new buzzword here>) we must also continue to maintain the cutting edge technology of previous days with a finite set of resources. Meanwhile, an adversary just needs one exploit or an oblivious user to jeopardize the Confidentiality, Availability, or Integrity of the entire operation.        

So when you feel like the chips are stacked against you, they are. So don't dwell and keep fighting!

Blue Coat Partners With FireEye

Last week two of my favorite companies Bluecoat and FireEye announced a partnership. The highlights are below:

"The integration enables malicious domains to be automatically shared from the FireEye MPS to Blue Coat ProxySG appliances, allowing administrators to implement a block/deny policy to stop all attempted connections to such domains and provide logging for customizable reporting specific to the defined categories. Administrators can customize categories and policies to deal separately with zero-day infection URLs and callback URLs. For zero-day, infection URLs, for example, customers can create a policy that refers end users to a coaching page that informs them a drive-by download was blocked. For the callback URL policy, the end user could be alerted that their machine was previously infected and to immediately take remediation steps.  The technical integration works seamlessly and adds significant value to organizations."

This is significant for me as I have done some work in the past at trying to get these two technologies to work together. One such example is a script to scrape certain snort rules (within the FireEye MPS) for domains so that I could feed them to Blue Coat. Use caution with this one as FireEye has some rules for domains that you may not want to block.

I am always in favor of vendors stepping up to create and support a stable solution as opposed to some scripts I hacked up to make my life easier. Hopefully the vendors will do a decent job and not charge an arm and a leg to their customers who already pay top dollar for these technologies!

A Little About Luck...

Luck is when opportunity meets preparation. - Pete Lopez (professor de Monzy)

Pay For Secure Coding, Not Lawyers

Is it cheaper to get a lawyer to fix your buggy software than to hire or train your programmers how to handle data safely? Must be, cauz that's what drives business decisions, right?! Money. Apparently this is the case in Germany with the Magix Incident.

Here the researcher appears to have tried responsible disclosure. Notifying the vendor, even working with the vendor. All PoC code and flaw description is given to the vendor then the vendor sues! Wait, WTF!?! Someone is trying to help you fix flaws in your software, then you bend them over?! Someone who was helping you with his time FOR FREE (as in beer), donating time. Someone who went to the vendor with the flaw, not the exploit market, not directly to public disclosure. WTF?!

Filing a lawsuit against a security researcher that has attempted to follow responsible disclosure practices shows the company doesn't really understand the business environment of software. I can't help but think the management conversation that led to the decision went something like this. "Let's throw lawyers at the problem, Jim. The problem isn't ours! These damn haxors breaking our beloved software. Someone should show them a thing or two about business.", "Sure Bob, that sounds great." No conversation about secure coding. No taking responsibility for the issue.

The way I see it, rather than paying full time employees to sit and audit code for a decent salary + benefits, throw a few bucks at the security researchers that spend their own time looking at your code. What's $500, $1000 (Mozilla bug bounty anyone?!) in the big scheme of things? A cheap ass code audit if you ask me! Surely you'll get more press and relationship mileage out of cooperating with researchers rather than bullying them with ridiculous law and people so far from the issue that they can't even begin to understand it.

Small Businesses = Excellent Target

Reading this article describing actual unauthorized bank account transfers to oversees accounts reminds me of the size of the pink elephant in the room. Large organizations can incur the expense of security specific IT staff. Bigger orgs are more likely to also understand the business risk of Incidents. Not so for the little guy.

Defending Against The APT

Advanced Persistent Threat

Everybody has heard of the APT, yet very few people actually know what they can do to protect themselves. Below is a list of The Top 5 Things you can do to reduce the success of an APT attack:

1) Analyze Incoming Email:  
 a. Pay extra attention to FREE webmail providers like yahoo, gmail, etc.
 b. Attachments that contain embedded exploits to vulnerable software and/or .exe's w/ a modified icon
 c. Links directly to executables, compressed executables (i.e. .zip containing an exe) and web pages attempting to exploit your browser.

2)  Analyze Outbound Connections:
 a. Many HTTP Get requests for long filenames
 b. Many HTTP Post requests (careful not to trip on all that streaming media traffic)
 c. Anomalies on any other outbound protocol you allow outbound
 
3) Ingress Filter:
 a. Make sure all traffic enters the network through YOUR Mail/DNS servers.
 b. This makes #1 Easier

Quick Virus Total Batch Submission

Every now and then you end up with a boat load of potentially "interesting" executables you've recovered from various suspect systems. Where do you start your analysis? Rule out the known stuff first with this handy script to batch submit hashes to Virus Total.

Move Over Arobat Reader, Foxit Reader Is Taking Over

Most of the time I'm a go with the flow, best of breed, don't rock the boat kind of guy. However, everyone has their limits and I've recently reached mine with Adobe! I don't hate all Adobe products (like some other large companies ), but there is one that really rubs me the wrong way and that is Adobe Acrobat Reader.

Adobe pretty much invented the pdf so one would think they would be the best suited to provide a reader for their own format. As it turns out, this intuitive sounding argument is false. At least for me and the use cases in the enterprises that I've come across. The list below provides reason why I think most people should abandon Adobe Acrobat Reader and embrace the Foxit Reader, which sucks wayyy less...I promise!

1) The Installer: No, I don't want all of this browser plugin crap, that doesn't work half of the time. I just want the damn installer. What do you mean I have to install all of this browser plugin crap because that is the ONLY way to get your silly software!

2) The Size: This application is HUGE! It the Portable Document Format...so why isn't the viewer very portable? Also, did  you know that there is some other acrobat executable that gets run when you just hover over a pdf?  Hopefully this code has no bugs...or you'll be pwned by simply hovering over a malicious pdf. 

3) The "Features": Nobody uses 90% of the capabilities of their reader. Perhaps they have never heard of the KISS (Keep It Simple Stupid) concept?

4) The Security: Last but certainly not least! Its only April and Adobe has already released 5 security updates this year alone. Most of which were actively being exploited long before Adobe decided to bless us with a patch. Most software is insecure, I get it. But when you produce a product with a ton of unnecessary bloat this increases the security risk unnecessarily as well.

I'm done ranting...(yes, I do feel better now). Thanks for reading. If you have any Reader horror stories or better solutions, please feel free to share...

Converting Apache Timestamps to Something Forensically Useful

Your webserver got popped. Bad guys are using it as a phishing link destination to compromise browsers. You get the fun part of forensic analysis of the host to figure out how the compromise happened. Sweet! Let's make a time line of filesystem activity and add to that the Apache Access log data.

There are two problems to solve.
1) Standardize time. (I prefer GMT)
2) Standardize your time line data. (I prefer the Bodyfile format)

So you use The Sleuthkit to gather some time data from the filesystem and have some time line data you want to add the Apache data. Now you have some conversion to handle, but I already went through the trouble. Get the Apache Log Bodyfile Conversion script here. For now it only has support for Apache Access Combined Log format. It will soon be expanded to handle Error log data.

Apache Combined Access Log Default Timestamp Format:
The default looks like this: [27/Mar/2011:06:40:10 +0000] and that isn't too useful for sorting by time. We have to take this and convert it to Unix epoch time format. The Apache log conversion script does this.

Apache to Bodyfile Format:
Here, whatever you feel will be useful to extract from the Apache log and add to the master time line you take. The script by default takes the client's IP and the request line. It is easy enough to modify the script to export other data. Line 82 contains the format string for the bodyfile output.

Now you have Apache data compatible with The Sleuthkit's mactime time line creator. Happy hunting.

ORNL Gets Pwned

If this were a mastercard commercial it would go like this:

- Obtaining an Internet Explorer 6,7,8 0-day  =  $$$$

- Creating 570 HR Phishing Messages  =  $

- Enticing 50 ORNL Employees to Click Links  =  $$

- Establishing Persistence on 2 ORNL machines  =  $$$

- Forcing a National Laboratory Off The Net  = PRICELESS!!!! 

When it comes to the APT campaign that took place on April 7, 2010, it appears as though Oak Ridge National Laboratory was the biggest loser. They can now take their place beside Google and RSA on the ever growing list of APT victims. With each new compromise by the APT it becomes more apparent that our current approach to computer security is NOT enough. We must do more to secure our computers and our data! Maybe we can look to those who have fought before us; learn from them and start fighting this war like we actually want to win...

"Invincibility lies in the defence; the possibility of victory in the Attack." - Sun Tzu

 

Chrome Proves Resistant to Browser Rape

Consider this. You notice that each time you leave your house wearing that provocative red shirt that screams you're "asking for it", you get raped. You not only get raped, but each time you catch a different nasty STD that your family Doc doesn't know how to cure nor detect reliably with a blood test. The STDs make you randomly empty the cash from your wallet, give strangers all your on-line bank login credentials, tell all your best invention ideas to randoms, and make you continuously dial a phone number for long periods of time. Common sense says that you'd stop wearing that red shirt, unless you were into living out rape fantasies and these fun remnants.

Why then do we still use software that has proven to be that red shirt rapists like? Because we are lazy, afraid of change, and don't give ourselves credit for being at least intelligent enough to figure out how to use another simple application like a web browser. Internet Explorer just one of these red shirts! You have little need for this red shirt outside interacting with it's vendor.

I can admit that non-technical folks can get lost with Firefox + NoScript, as it requires the user have a clue. Chrome on the other hand, is pretty much a drop-in replacement for IE that has proved its resilience to attack (we can debate the reasons another time) in the Pwn2Own 2011 contest at CanSecWest. Whatever the reasons for it surviving, my point is it does not appear to be a worthy target for browser rapists yet.

The Chrome developers have also taken a serious step towards user awareness with the Phishing and Malware detection based on Google's own samples of these URLs. Not to mention the browser is sandboxed! Read more at Chrome's propaganda site.

Security is not about hiding under the nice soft safety blankey of a firewall and an AV product that soo many "security professionals" seem to do. It is a much bigger thing that includes altering the attack surface to be in your favor, behavior modification, and education. Do your part to prevent software rape, please.

WDE can't handle AF Drives

With the recent release of SandyBridge capable Macbook Pro's and Dell Latitudes, a storm which has been quietly brewing is coming to the forefront. Advanced Format (AF) drives (http://en.wikipedia.org/wiki/Advanced_Format), a specification in the works since 1998, finalized in 2010, and implemented in 2011, appears to have completely caught Symantec and others off guard when it comes to their whole-disk encryption software. AF drives store data in 4096-byte sectors instead of 512-byte sectors like previous drives. this is a GOOD THING, allowing much larger drives and more efficient use of the bus.

However, Whole Disk Encryption vendors such as Symantec (PGP) apparently chose to ignore the upcoming standard (and drives/hardware currently hitting the market). The result is corruption of the system upon encryption. No word on when a fix will be out.

Forum posting on the issue. http://www.symantec.com/connect/forums/sandy-bridge-macs-unable-boot-after-encrypting-pgp-1011

Common' guys...we saw this coming for years!

China Pwns U.S.

Reuters released a special report entitled, "In cyberspy vs. cyberspy, China has the edge"  The report basically calls out the elephant in the room and sheds some light on many of the underlying details between the cyber warefare taking place between the U.S. and China.

Even Your Firewall Sucks!

If there was one device on your network that you would think you could trust....think again! The exploit used to fool your firewall into appearing trusted is called the "TCP Split Handshake". Apparently this flaw has been around for years, but is only now getting the attention that it deserves. An NSS Labs report says, "Five of the six products allowed external attackers to bypass the firewall and become an internal 'trusted machine.'" The only firewall tested by NSS labs that didn't was the Check Point one. No wonder I can't keep anyone out of my network...

See the links below for all of the fine details:
 

http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html

http://www.pcworld.com/businesscenter/article/225115/firewall_vendors_challenge_findings_of_nss_labs_report.html

http://nmap.org/misc/split-handshake.pdf

April 2011 Adobe 0-day

Adobe released an official announcement  today regarding CVE-2011-0611 stating that Adobe Flash Player, Adober Reader, and Acrobat all contain a vulnerability that "could cause a crash and potentially allow an attacker to take control of the affected system."

Additionally, Adobe mentions that there are already "reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Word (.doc) file delivered as an email attachment, targeting the Windows platform." To see more about this exploit see the writup over on Mila Parkour's blog.

As many of your already know, RSA (a large security company) was infiltrated by the Advanced Persistent Threat (APT) as a result of last month's critical Adobe Flash vulnerability.

**UPDATE**
Adobe has updated their advisory stating that we should have a patches on the days listed below:
- Flash player by April 15th
- Adobe Acrobat and Reader by April 25th
- Adobe Reader X for Windows, which uses "Protected Mode" (a.k.a. sandbox) by June 25th.

April 2011 Patch Tuesday is a DOOZY!

In Microsoft's Advance Notification Bulletin they recently announced a whopping 17 Bulletins! 

These include the following software categories:

- Windows Operating System and Components (OS + IE)

- Microsoft Office Suites and Software (duh, Office)

- Microsoft Server Software (more Office)

- Microsoft Developer Tools and Software (Visual Studio)

The severity breakdown is as follows:

CRITICAL - 9

IMPORTANT - 8 

***PAY EXTRA CLOSE ATTENTION TO BULLETIN 1, which affects ALL versions of Internet Explorer on ALL supported Operating Systems!  Rumor has it that PoC code already exists and boxes are already being actively exploited! So enjoy your weekend, because there is gonna be a lot of folks frantically patching boxes next week.

DVLabs 2010 Risk Report

The security researchers over at Tipping Point (a.k.a. DVLabs) recently released a 2010 Full Year Top Cyber Security Risks Report. Back in my younger years I used to think that annual reports with pretty pictures and colorful graphs were only useful to pointy headed managers who couldn't understand tech. But now that I'm older and more mature I can sort of appreciate these reports as well!

Here are some highlights:

- "the annual number of vulnerabilities being discovered in commercial computing systems has remained steady from 2009 to 2010. At the same time, targeted exploits that take advantage of these known vulnerabilities have continued to increase in both severity and frequency. This means that unpatched or unupdated systems are putting enterprise data centers at a huge risk for being compromised." (See NASA they think patching is important too!!!)

Google Security Chief: Incidents are going to happen

Eran Feigenbaum, Director of Security for Google Apps, gave the closing keynote at EDUCAUSE Security Professionals conference today. The presentation was on information security in the cloud. He made some interesting points on cloud security (Cloud security isn't perfect...but neither is non-cloud). I'm still thinking through thoughts on that.

One part that did strike me was a part of his speech in which he gave the quote that "Incidents are going to happen"...the question is what do we do to deal with it? He joked about people blogging about that quote, and that it's out of context...but I think that it's spot on, and way too many people in information security don't take that perspective (RSA? NASA?).

NASA Found Guilty of Sucking at Security!!!

On March 28, 2011 the Inspector General for NASA published a report detailing the  "Inadequate Security Practices" observed on NASA critical networks. The highlights include the following:

- Six Internet facing servers had critical vulnerabilities

- Exposed encryption keys

- Encrypted passwords

- User-account information 

I understand that vulnerability scanning and patching across a large enterprise can be a difficult task. Most government installations have a difficult time maintaining and managing their assets. I get it. But what is inexcusable is that this could have endangered "various missions, including controlling spacecraft like the International Space Station and conducting science missions like the Hubble Telescope." But wait, it gets worse! These flaws could have been prevented and "occurred because NASA had not fully assessed and mitigated risks to its Agency-wide mission network and was slow to assign responsibility for IT security oversight to ensure the network was adequately protected." This was something that was brought to their attention in May 2010!

Linda Y. Cureton, NASA CIO

NASA you've gone too far this time! In the days of APT and countless waves of spear phishing campaigns I cannot believe there are agencies out there who still don't have active vulnerability discovery and patching programs. NASA, there is no excuse for failing this miserably! Can somebody please get this organization some help?

Oh those were just emails and customer names!

Reuters and others have reported today that the Epsilon data breach has resulted in loss of data for over 40 billion customers. Marriott, BestBuy, Target, Home Shopping Network and many other Epsilon clients lost people's emails and contact information. Its not like they lost your social security number or your credit card number. In a Yahoo news story, "Security experts said the massive data breach should only put customers at risk if they respond to camouflaged emails seeking their credit card and other financial information." No one really clicks on scam spams. The underground web economy is flourishing from selling chicken pot pies.

SERIOUSLY!!!! When are these self proclaimed security people going to get it? "Just do blah and you'll be fine" isn't going to cut it for the average consumer! Its like the car companies saying, "you don't need seat belts. Just be safe on the road." Oh wait! didn't Epsilon have security experts!

2wire Dictionary Script

If your neighborhood is like mine then you most likely see a bunch of 2wire### wireless ssid's being broadcasted. In California (I'm not sure if this holds true for the rest of the country) 2wire hardware is the standard for AT&T U-verse. 

The 2wire box and it's capabilities seem decent, except for one thing... The techs from AT&T who set these devices up often use the default password for wireless, which is a 10 digit numeric password conveniently located on the side of the box (see image below). To the credit of the techs, they do usually enable WPA2 (even though the devices will usually support WEP as well). However, using the default 10 digit numeric password only leaves 10^10  password possibilities, which in computer terms only takes a few days to crack!

NextGenHacker101...Inspiring The Future

I'm sure most of you are already aware (I've been fooled twice already) that it's April 1. I appreciate all of the effort that goes into creating such complex parody's and spoofs. However, some of the best things in life just can't be made up. Below is one of my favorite "instructional videos" from youtube on how to use the trace route command "tracert".



I have watched this video at least a dozen times over the years and to this day it still makes me laugh. Happy April 1st everyone!

Internet Explorer 8 on Windows 7 - Zero Day Trifecta!

CVE-2011-1347: Unspecified vulnerability in Microsoft Internet Explorer 8 on Windows 7 allows remote attackers to bypass Protected Mode and create arbitrary files by leveraging access to a Low integrity process, as demonstrated by Stephen Fewer as the third of three chained vulnerabilities during a Pwn2Own competition at CanSecWest 2011. 

As far as I know this string of exploits is NOT publicly available at the moment, but if you want to read more check out the full story on zdnet.

Stephen Fewer: If you look closely you can see his brain radiating heat!

Anytime you get a bunch of geeks together and are giving away free computers and ca$h, it's a pretty good bet that something is gonna break. Nice work Fewer! 

RSA Pwned!

In a recent announcement RSA (one of the bigger security companies) announced that it was pwned by the big bad APT!


 If Ph.D. Mathematicians and truck loads of money can't figure out how to secure their intellectual property (when their claim to fame is helping to secure mine), there isn't much hope for the rest of us :(

I guess this means even more job security. Thanks for all the help "securing" my enterprise! I'm off to start parsing RSA ACE server logs...

Obligatory First Post...

This is the first post for a blog that will serve as the testing grounds for what could be the greatest security blog ever!!!