August 8, 2008
Three French journalists have been booted for life from Black Hat and Defcon for compromising the Black Hat press room wired network and grabbing the credentials for at least one reporter. Their goal was to publicize the risks to reporters especially current given the massive reporter presence in Bejing for the Olympics. This risk is certainly real and it is a shame that these journalists had to... READ MORE›
August 7, 2008
I'm not talking shipping as in boats, but shipping as in packages. David Maynor is giving a talk at Black Hat on his newest experiment: using a small and cheap WiFi platform that is remotely accessible over a WAN perform WiFi surveillance inside of a package delivered right to your victim. Guess what the cheap platform is? An iPhone of course. George Ou has some pictures and more details in his... READ MORE›
July 30, 2008
Last week, Ben Worthen of the Wall Street Journal had a conversation with Howard Schmidt about the vulnerabilities in purchased software while Howard was waiting on line to have his iPhone upgraded. Howard Schmidt, who was once the CSO of Microsoft, knows a thing or two about vendors shipping insecure software. He offers this advice relating to his iPhone, "Just because a piece of software was... READ MORE›
June 30, 2008
We all know it happens, but it is rarely exposed as clearly as Adam Pennenberg did in his article for Fast Company, The Black Market Code Industry. It turns out that this 0day seller was an HP employee: According to the consultant who snared Marester, his quarry's skills appear quite sophisticated. His wares, if they performed as advertised, could help a hacker take down machines running that... READ MORE›
June 12, 2008
The Verizon Business data breach report is by far the most comprehensive and detailed report on data breaches I have seen. It is great to see the break down of what is the root cause of these expensive and significant computer security failures. While it is interesting to see counts of malware infected computers from Symantec and vulnerability counts from CVE, this report gets to the actual... READ MORE›
March 17, 2008 | 7
I took part in the L0pht Reunion Panel at the Source Boston conference in Cambridge, MA last Friday. It was a lot of fun to get back together with the "band" and pontificate with no holds barred about the latest security threats, just like we did in the old days. One of the questions asked of the panel by moderator Michael Fitzgerald (who did a kick-ass job) was, "What scares you the most these... READ MORE›
March 11, 2008
Here is another data point that simple backdoors are being placed into free applications. A programmer, Dustin Brooks, was inspecting a free Gmail backup utility, called G-Archiver, with Reflector and noticed that not only did it have the authors Gmail credentials baked in, but is was sending the Gmail credentials of every user of the program to the author. This is an example of an unintended... READ MORE›
February 13, 2008
Recently an executive at HP claimed that his company now employs 9 out of the top 11 security people due to HP's acquisition of SPI Dynamics: "Nine out of the world's top 11 security hackers came to HP through the SPI Dynamics acquisition, he boasts, although it's not immediately clear who ranked those top 11." - Mark Potts, CTO of Software, Hewlett-Packard Now eWeek has... READ MORE›
February 6, 2008 | 6
There is an heap overflow vulnerability in RealPlayer 11 build 6.0.14.74. It allows for code execution when RealPlayer opens a malicious song file. Timeline Dec 16, 2007: Gleg customers notified of vulnerability and given exploit code Jan 1, 2008: Public disclosure (no details) with online demonstration Feb 6, 2008: Vulnerability still not patched It's not your typical disclosure time line.... READ MORE›