Posted by Chris Eng in RESEARCH, June 15, 2009 |
As of July 1, all personal computers sold in China must be pre-installed with content filtering software called Green Dam. The officially stated goal is to protect children from online pornography, but naturally, the technology will also serve to “protect” viewers from offensive text and images such as politically sensitive content. Subsequent to this announcement, researchers at the University of Michigan have published a report detailing several remotely exploitable vulnerabilities in the Green Dam software. These vulnerabilities include:
- Stack buffer overflow in URL blacklisting code due to a fixed-length buffer, triggered by URLs longer than approximately 2064 …
Posted by Chris Wysopal in RESEARCH, June 9, 2009 |
Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs.
I checked out the lxlabs product documentation and website and could not find any reference to using a secure development lifecycle. I did find this rather disturbing post to their forum as the first post on a new topic “Security” in April 10, 2009. It was not replied to until yesterday.
http://forum.lxlabs.com/index.php?t=msg&th=11197&start=0&:
Lxadmin/hyperVM has become popular enough that people are SPECIFICALLY …
Posted by Chris Wysopal in RESEARCH, May 28, 2009 |
It has been announced that President Obama will pick his new cyber czar tomorrow. This will likely be a position reporting to the National Security Advisor, similar to Richard Clarke’s position under President Clinton.
This position will be critical for organizing the government’s fragmented information security efforts, both for the government sector and the country’s infrastructure, which is largely privately owned. Many of the security tasks that must take place to improve our nation’s security posture are well known. They are employed by forward thinking and risk averse sectors such as the financial industry. The challenge is rolling …
Posted by Chris Eng in RESEARCH, May 19, 2009 |
In lieu of actual technical content, and inspired by Jeremiah’s blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, “No one at the organization knows about, understands, or respects the issue.”
I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them about the best responses they’ve heard from customers that reflect a lack of understanding or respect for a pen test finding. These often start with the proclamation, “that’s impossible…” followed by one of …
Posted by Chris Eng in RESEARCH, May 4, 2009 |
If you visit this article on the New York Times website, you’ll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore]
Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in the New York Times template, and serves it up. Here’s an example of an IDG article that was served up in similar fashion — note the word /external in the URL. When importing the article, the New York Times allows …
Posted by Chris Eng in RESEARCH, April 27, 2009 |
As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact that I didn’t get my solution in early enough to win the cash prize — but so far, I haven’t seen anybody write up a walkthrough, so I thought I’d do one.
If you haven’t taken a crack at it yet …
Posted by Chris Eng in RESEARCH, April 20, 2009 |
If you’re at RSA this week, be sure to check out this panel discussion, featuring Veracode’s Chris Wysopal along with Jerry Archer, Mary Ann Davidson, and Brian Chess. Abstract as follows:
The growth of Web 2.0 has highlighted two significant trends in application security. First, as the network has hardened, attacks against applications have dramatically increased. Second, an explosion in use of dynamic code has resulted in serious security problems. This panel will discuss these problems and provide software assurance through use of source code versus binary code analysis.
The session is AND-105 and it’s happening on Tuesday, April 21 at …
Posted by Chris Eng in RESEARCH, March 30, 2009 |
The Ontario Lottery and Gaming Corp. is in a bit of hot water after refusing to pay a $42.9 million jackpot:
According to the statement, Kusznirewicz was playing an OLG slot machine called Buccaneer at Georgian Downs in Innisfil, Ont., on Dec. 8 when it showed he had won $42.9 million.
When the machine’s winning lights and sounds were activated, an OLG floor attendant initially told Kusznirewicz to go to the “winners circle” to claim his prize, according to the statement. But other OLG employees immediately arrived and told him that the corporation would not be paying, because there had been …
Posted by Chris Wysopal in RESEARCH, March 16, 2009 |
I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood out for me:
Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime heap overflow. He got the built in iSight camera to take a picture of his victim and send it to him just …
Posted by Chris Wysopal in RESEARCH, March 4, 2009 |
A security bug was found in djbdns. Daniel Bernstein pays his promised security bug bounty for the first time. More details about the bug on BugTraq.
Date: 4 Mar 2009 01:34:21 -0000
From: D. J. Bernstein
To: dns@list.cr.yp.to
Subject: djbdns
Posted by Tyler Shields in RESEARCH, February 27, 2009 |
In this final part of the anti-debugging series we’re going to discuss process and thread block based anti-debugging. Processes and threads must be maintained and tracked by the operating system. In user space, information about the processes and threads are held in memory in structures known as the process information block (PIB), process environment block (PEB) and the thread information block (TIB). These structures hold data pertinent to the operation of that particular process or thread which is read by many of the API based anti-debugging methods we discussed previously.
When a debugger or reverse engineer tries …
Posted by Chris Eng in RESEARCH, January 26, 2009 |
Monster.com recently disclosed yet another major breach that compromised the personal data of over 1.3 million users. This is not unlike the previous breach in August 2007, though the attack vector was likely different. From a notice on their website (emphasis mine):
We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data. The information accessed does not include resumes.
Considering the well-known tendency to use the same password on multiple websites, compounded with the fact …
Posted by Chris Eng in RESEARCH, January 20, 2009 |
One of the great challenges for consumers of static analysis products, particularly desktop tools, is dealing with the large flaw counts. You have to wade through the findings to decide what to fix and when, which can be a daunting task. At Veracode, we continuously update our analysis engine to aggressively reduce false positives, thereby enabling our customers to more efficiently triage their results. Even so, it’s not unusual for customers to ask for clarification on certain flaws as they prioritize fixes.
The other day, we ran into an example that ended up being much more interesting than …
Posted by Chris Wysopal in RESEARCH, January 13, 2009 |
It was 10 years ago this week that Tan from the L0pht wrote Cyberspace Underwriters Laboratories to describe a vision of third party testing and certification of computer hardware and software.
Tan’s vision got one step closer this week when CWE and SANS issued the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. Finally there is consensus about what the worst software security flaws are. This is an important step because minimum due care for a software producer can be defined as preventing the most dangerous programming errors from being delivered to their customers.
This …
Posted by Chris Wysopal in RESEARCH, January 12, 2009 |
Today is a very exciting day for software security. The CWE/SANS Top 25 Most Dangerous Programming Errors is being released. I was one of the 41 contributors to the Top 25 Errors.
The list of possible programming errors that can end up causing a vulnerability in an application is immense. The MITRE Common Weakness Enumeration (CWE) has grown to 700 entries. They are all valid programming errors but some are so obscure or low severity that it isn’t even worth inspecting for them in most software. When a list grows big often times the important items …
Subscribe by RSS
