It Couldn't Happen To Us!

CEng's picture
By Chris Eng May 9, 2007

[Allow me to introduce Mike VanEmmerik. Mike is one of our engineers, who works closely with Christien Rioux and others on Veracode's analysis engine. Those of you who follow the decompilation community probably recognize his name. We'll have a full bio posted for him soon, and he will be a regular contributor to this blog.] It Couldn't Happen To Us! by Mike VanEmmerik Surely this was what was... READ MORE

Just In, From the "Finish What You Started" Department

CEng's picture
By Chris Eng May 4, 2007

I never actually posted the rest of my notes from CanSecWest. At this point, I'd be leaning towards leaving it at that, but since I've had a couple requests to finish up, I'll oblige, providing I can still remember the salient points. So without further ado, CanSecWest Day 3: Andrea Barisani and Daniele Bianco from Inverse Path gave an informative and entertaining presentation on Unusual Car... READ MORE

Raise Your Hand If You Use iTunes

CEng's picture
By Chris Eng April 26, 2007  | 4

Because if you do, you've probably installed QuickTime without realizing it. Why is this relevant? Well, if you've been in a cave for the last week, you may not have heard about the Quicktime/Java vulnerability discovered during the CanSecWest conference, which happens to affect just about anyone with those two applications installed. If you try to uninstall QuickTime, it'll happily oblige, but... READ MORE

Your Browser Requests To Be Exploited

cwysopal's picture
By Chris Wysopal April 25, 2007

Client-side browser vulnerabilities, the ones that require the browser software on your computer to make a request to a web site hosting a malicious web page, are on a sharp rise. Sophos reports: From January to the end of March, Sophos identified an average of 5,000 new infected webpages every day, indicating that this route to infection is becoming more popular with cybercriminals. and Not all... READ MORE

CanSecWest Day Two Highlights

CEng's picture
By Chris Eng April 23, 2007

Slowly but surely, I'm catching up on my blogging backlog. As I posted before, Day 2 of CanSecWest was a long day, with presentations running from 9am to 9pm. Here are some of the highlights: Barnaby Jack's talk, Exploiting Embedded Systems - The Sequel!, was mostly the same as last year's talk with a couple notable exceptions. Last year, he exploited a UPnP stack overflow in the DI-524, while... READ MORE

OSX Security Apologists, Read Carefully

CEng's picture
By Chris Eng April 22, 2007

I'll post my thoughts from Days 2 and 3 of CanSecWest pretty soon. Thursday was a marathon 12 hours of talks followed by a Microsoft party, and Friday I went straight from the con to the airport to catch the red-eye back to Boston, so I just haven't gotten around to it. Before I do that, though, let's talk about the "Pwn To Own" contest, which turned out to be interesting.... READ MORE

CanSecWest Day One Highlights

CEng's picture
By Chris Eng April 19, 2007  | 4

Thought I would post a few thoughts on today's talks: For some reason I expected more out of Jose Nazario's talk on Reverse Engineering Malicious Javascript. Basically, it could be summarized as follows: Use command-line Javascript interpreters such as njs to figure out what obfuscated Javascript does without having to execute the malicious code in the context of a web browser. Near the end, he... READ MORE

Landed in Vancouver

CEng's picture
By Chris Eng April 17, 2007

As you may have guessed, I'm out in Vancouver the rest of the week attending CanSecWest. Looking forward to catching up with old friends and former colleagues and meeting more of you lurkers! I am always overly paranoid about getting owned by 0day at these conferences. My work laptop won't run Linux cleanly without rebuilding the kernel, and since I don't have time for that stuff anymore, I'm... READ MORE

Take WASC Data With a Grain of Salt

CEng's picture
By Chris Eng April 10, 2007 3

The Web Application Security Consortium (WASC) just published statistics on the prevalence of various web application vulnerabilities. The list was compiled from 31,373 automated assessments performed during 2006 by four contributing companies, with the methodology around data collection described as follows: The scans include a combination of raw scan results and results that have been manually... READ MORE

Public Perception of Application Risk

CEng's picture
By Chris Eng March 23, 2007

There has been a lot of buzz recently about the possibility of Xbox Live being hacked. People are taking over accounts, locking out the original owners, and racking up charges. Message boards were in a panic, speculating about what the gaping security hole was and how it was exploited. As it turns out, the whole thing boils down to a social engineering attack (or pre-texting, for those who like... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu