Posted by Tyler Shields in RESEARCH, June 30, 2009 |
The “Mobius Defense” is a somewhat novel defense model proposed by Pete Herzog, founder of ISECOM and lead author of the Open Source Security Testing Methodology Manual (OSSTMM). Before continuing to read the following post I suggest you take a few minutes and breeze through the slide deck linked here. It’s an easy and interesting read so get to it…
Mr. Herzog suggests in this presentation that the “Defense in Depth” strategy, with regards to network defense, is ineffective and antiquated, and needs to be replaced with a new and updated defense model. His …
Posted by Chris Wysopal in RESEARCH, June 17, 2009 |
It was an integer overflow.
I guess it is never too late to fix a bug. Don Hodges used the old video game firmware and a MAME machine to debug and fix a problem which has kept expert Donkey Kong players from ever getting past level 22. If you have seen King of Kong you would know that one of the challenges of getting a high score is getting as many possible points before a software glitch causes the game to end abruptly at level 22. This is because the time is calculated incorrectly and there is not …
Posted by Chris Eng in RESEARCH, June 15, 2009 |
As of July 1, all personal computers sold in China must be pre-installed with content filtering software called Green Dam. The officially stated goal is to protect children from online pornography, but naturally, the technology will also serve to “protect” viewers from offensive text and images such as politically sensitive content. Subsequent to this announcement, researchers at the University of Michigan have published a report detailing several remotely exploitable vulnerabilities in the Green Dam software. These vulnerabilities include:
Stack buffer overflow in URL blacklisting code due to a fixed-length buffer, triggered by URLs longer than approximately 2064 …
Posted by Chris Wysopal in RESEARCH, June 9, 2009 |
Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs.
I checked out the lxlabs product documentation and website and could not find any reference to using a secure development lifecycle. I did find this rather disturbing post to their forum as the first post on a new topic “Security” in April 10, 2009. It was not replied to until yesterday.
http://forum.lxlabs.com/index.php?t=msg&th=11197&start=0&:
Lxadmin/hyperVM has become popular enough that people are SPECIFICALLY …
Subscribe by RSS 
