Skype and Critical Mass

CEng's picture
By Chris Eng August 20, 2007

There's been a lot of blogging over the weekend about the 36-hour Skype outage that occurred starting last Thursday. From Skype's official explanation, it wasn't a security-related event -- in other words, Skype wasn't hacked. We have no reason to believe otherwise. However, security and availability are often discussed in the same breath, and lots of people will be speculating about the chain of... READ MORE

Backdoor Detection in the News

cwysopal's picture
By Chris Wysopal July 26, 2007 3

There has been some talk in the press lately about backdoors due to the recent court case where it was disclosed that federal agents planted a keystroke logger on a suspect’s computer using a trojan program. Many of the articles don’t report on the court case but raise the question as Declan McCullagh titles his article, “Will security firms detect police spyware?” You can see the security cat... READ MORE

A Security Issue with C++ Object Layouts

crioux's picture
By July 17, 2007 3

Type safety is a feature of numerous modern programming languages. C++ is not strict about type safety, and as a result, vulnerabilities may appear in programs in unexpected ways. Here's an example I recently discovered. Consider this structure: typedef struct _NOTIFYICONDATAA { DWORD cbSize; HWND hWnd; UINT uID; UINT uFlags; UINT uCallbackMessage; HICON hIcon; #if (... READ MORE

Chris Wysopal Interviewed by Christofer Hoff

cwysopal's picture
By Chris Wysopal June 26, 2007

A few days ago Christofer Hoff interviewed me on his blog. We talked about Veracode and the application security industry. Click here to read the interview: Take 5- Five Questions for Chris Wysopal, CTO Veracode   READ MORE

File Format Vulnerabilities On the Rise

CEng's picture
By Chris Eng May 31, 2007

Software flaws have become serious vulnerabilties for companies today, as the security measures have become much better along the perimeter. And it's not just the flaws in enterprise and ISV code -- even code written by major antivirus companies can be at risk. F-Secure just posted a couple security bulletins around vulnerabilities in their antivirus products. Of particular interest is a buffer... READ MORE

Binary Analysis Everywhere

MVanEmmerik's picture
By May 31, 2007

Analysis of binary files without access to the source code is becoming more prevalent in the last five years or so. Of course Java decompilers have been around almost as long as Java itself, but that’s not machine code. I’m talking about analysis of native machine code (x86 or PowerPC instructions), and not from object code (.o or .obj files), which have relocation and symbol information in them... READ MORE

IOS FTP Vulnerabilities: Backdoor or Honest Mistake?

CEng's picture
By Chris Eng May 13, 2007 3

Network World recently published an article entitled Cisco says FTP feature in IOS is a hacker backdoor. The opening paragraph reads as follows: Cisco says a flaw in the FTP server utility in its IOS router/switch software could be used as a backdoor by attackers. Do you see the discrepancy? The opening statement is inconsistent with the title of the article. Are they saying that the flaw could... READ MORE

It Couldn't Happen To Us!

CEng's picture
By Chris Eng May 9, 2007

[Allow me to introduce Mike VanEmmerik. Mike is one of our engineers, who works closely with Christien Rioux and others on Veracode's analysis engine. Those of you who follow the decompilation community probably recognize his name. We'll have a full bio posted for him soon, and he will be a regular contributor to this blog.] It Couldn't Happen To Us! by Mike VanEmmerik Surely this was what was... READ MORE

Just In, From the "Finish What You Started" Department

CEng's picture
By Chris Eng May 4, 2007

I never actually posted the rest of my notes from CanSecWest. At this point, I'd be leaning towards leaving it at that, but since I've had a couple requests to finish up, I'll oblige, providing I can still remember the salient points. So without further ado, CanSecWest Day 3: Andrea Barisani and Daniele Bianco from Inverse Path gave an informative and entertaining presentation on Unusual Car... READ MORE

Raise Your Hand If You Use iTunes

CEng's picture
By Chris Eng April 26, 2007  | 4

Because if you do, you've probably installed QuickTime without realizing it. Why is this relevant? Well, if you've been in a cave for the last week, you may not have heard about the Quicktime/Java vulnerability discovered during the CanSecWest conference, which happens to affect just about anyone with those two applications installed. If you try to uninstall QuickTime, it'll happily oblige, but... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu