Chris Eng
Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.Posts by Chris Eng
Speculation on Palin E-mail Hack
September 17, 2008 | 8
Assuming the mailbox hack is not an elaborate ruse, how did they do it? Almost as bad as the Sprint PCS password reset fiasco that made the news in April, here is the Yahoo Mail password reset screen: As you can see, you need to know the user's birthday, country of residence, and postal code. Not difficult information to dig up in Palin's case. After you enter this information correctly, you are... READ MORE›
Distributing Malware Through Trusted Websites
September 15, 2008 | 5
Why bother setting up dedicated websites to host malicious content when you can just infect trusted sites like BusinessWeek? This is becoming something of a trend, as evidenced by the mass SQL Injection attacks from a few months ago. The idea is simple -- find SQL Injection vulnerabilities in high-traffic, trusted websites where the site's content is dynamically fetched from a database (i.e. just... READ MORE›
MBTA Hacking Injunction Lifted
August 20, 2008
Earlier today, the US District Court dealt a victory to the MBTA hackers and the EFF, lifting the injunction issued on August 9th to prevent the three MIT students from presenting their findings at DEFCON 16. In summary: The lawsuit claimed that the students' planned presentation would violate the Computer Fraud and Abuse Act (CFAA) by enabling others to defraud the MBTA of transit fares. A... READ MORE›
BlackHat Recap
August 12, 2008
Another BlackHat has come and gone. As usual, it was a very busy week juggling customer meetings, recruiting, conference planning, vendor parties, and, oh yes, the actual BlackHat presentation My favorite talk, as expected, was the Sotirov/Dowd talk on How To Impress Girls With Browser Memory Protection Bypasses. The attack is a conceptually simple, yet completely reliable technique for... READ MORE›
BlackHat Picks, Day 2
August 4, 2008
Here's the rest of my list: 10:00-11:00 FX, Developments in Cisco IOS Forensics. 11:15-12:30 Oliver Friedrichs, Threats to the 2008 Presidential Election (and more). 13:45-15:00 Option 1: Scott Stender, Concurrency Attacks in Web Applications. Option 2: Travis Goodspeed, Side-channel Timing Attacks on MSP430 Microcontroller Firmware. 15:15-16:30 Option 1: Alexander Sotirov and Mark Dowd, How To... READ MORE›
BlackHat Picks, Day 1
July 28, 2008
Well, it's almost BlackHat time. Here are my picks so far for Day 1. As you can see, I still haven't narrowed it down completely. 11:15-12:30 Option 1: Dan Kaminsky, "DNS Goodness". On one hand, the DNS vulnerability is already public; on the other hand, the talk will probably still be interesting even if the 0day hype is missing. Option 2: Nate Lawson, "Highway to Hell: Hacking Toll Systems". My... READ MORE›
Yes! Now I Can Attend Nate Lawson's Talk at BlackHat!
July 21, 2008
By now, you probably know that details of the DNS vulnerability have leaked. Halvar Flake speculated on DailyDave and the momentum built from there, despite the fact that his guess was short on a few key details. I don't need to rehash the full technical details here; by now, they are easy enough to find with a couple Google searches. When Slashdot picks up the story, it's hardly a secret any... READ MORE›
Missing the Point
July 21, 2008 | 4
A co-worker passed along this snapshot taken at the Karsten Nohl, Jake Appelbaum, and Dino Dai Zovi talk at HOPE this past weekend. The context, of course, is that the overzealous Debian developer who accidentally crippled OpenSSL back in 2006 said he did so because valgrind reported uninitialized memory use. Click through for the full-size version. So automated software review is dangerous now... READ MORE›
What Dan's DNS Checker Doesn't Do
July 10, 2008 | 6
Despite what various commenters around the blogosphere think (I've read a few but can't find the links now), Dan Kaminsky's online "Check My Dns" utility doesn't: Poison anybody's DNS cache Expose how the actual exploit works What it does is check whether your ISP's DNS server is patched. Plain and simple. It looks for one thing -- source port randomization. This does not give away the... READ MORE›
DNS Vulnerability Survives Scrutiny of Peer Review
July 9, 2008
The security community is cynical. So much so, that most of the chatter that's taken place over the past 24-36 hours has suggested that Kaminsky's DNS vulnerability was little more than a publicity stunt and that his BlackHat presentation would be an over-hyped rehash of prior art. Granted, one has to suspend disbelief to even consider that something monumental would be discovered in DNS -- that'... READ MORE›
