Grey bar Blue bar
Share this:

Mon, 23 Jun 2008

A blog that hasnt mentioned the OSX priv escalation bug OR Firefox3 ???

well.. 50% right..

But im not going to talk about FireFoxs record breaking download, or the bug that was released in record time.. but want to point you at Andy Inhatko's review of Firefox3. Andy is old school mac diehard, and is a regular on the MacBreak podcast but says:

"But with 3.0 . . . well, we have a victor. Firefox 3.0 should be your default browser, starting right now."

Check it out.. both the review, and the download..

Tue, 17 Jun 2008

Very decent Security Podcast..

I am probably one of the last ppl around to discover this, but ill post it here for the (probably) 2 other ppl in the world who have yet to stumble upon: Risky Business.

Its pretty hard to find good quality security podcasts without some pretty sad signal to noise ratios (or adverts on spinwrite) but risky business is def. a keeper..

i downloaded a few older episodes to help me through a long drive this weekend, and was very pleasantly surprised.. if u have not yet added it to your podcatcher.. u probably will..

rethinking ye old truths

since forever, i've been told (and told others) that the greatest threat is from the inside. turns out, not so much. verizon business (usa) apparently conducted a four year study on incidents inside their organisation and found that the vast majority, 73%, originated from outside. however, the majority of breaches occurred as a result of errors in internal behaviour such as misconfigs, missing patches etc. (62% of cases).

So attackers are generally outsiders taking advantage of bad internal behaviours, rather than local users finding 0-day. From the exec summary:

In a finding that may be surprising to some, most data breaches investigated were caused by external sources. Breaches attributed to insiders, though fewer in number, were much larger than those caused by outsiders when they did occur. As a reminder of risks inherent to the extended enterprise, business partners were behind well over a third of breaches, a number that rose five-fold over the time period of the study

Other interesting snippets that tie directly back into what we cover when we train, and why we think there is value in not only aiming at sploit-writing and 0-day:

Most breaches resulted from a combination of events rather than a single action.

Intrusion attempts targeted the application layer more than the operating system and less than a quarter of attacks exploited vulnerabilities.

In other words, bite-sized chunks for the win, core/canvas/metasploit are cute but that's not how customers get owned most often in the real world.

Link to the report, link to summary.

Thu, 12 Jun 2008

Carpet Bombing and eating Crow...

The recent Safari Carpet Bombing bug reported by Nitesh Dhanjani and ignored by Apple had all the makings of an egg-on-face incident. We were discussing it over foosball, and the obvious consensus was "if a line starts with: "thats not exploitable, its only.." then odds are you are wrong.."

But.. lots of people quicker and smarter than me [1, 2, 3] blogged (or twittered) about why this was a silly approach for apple to take..

Interestingly.. Microsoft bloggers were quick to pounce on this PR-Fiasco in the making. Microsoft released a security advisory commenting on the danger of a "blended threat" - Now.. by accident (or by design) that advisory looks a lot like - "This is an Apple screwup!", indeed one of the solutions is: "Restrict use of Safari as a web browser until an appropriate update is available from Microsoft and/or Apple."

The advisory (now) also credits "Aviv Raff" for his report. LiuDieYu0

filled in the details, pointing to Avivs 2006 Finding, which is a pure DLL search order bug (which incidentally was published as an IE7 bug). So now the Microsoft folks who were sneering at Safari all end up shuffling their feet a little while looking at the floor. All credit to RHensing from Microsoft, who quickly awarded Microsoft the FAIL open goat award too.. *ouch*

Like sands through the hourglass...



Sun, 8 Jun 2008

This has nothing to do with anything technical..

but since it made me eat crow, i figured i would share it..

Although i read a fair bit, i stopped really reading fiction many many moons ago. Its something i often feel ill try to get back into when im a little older with more time (like playing golf), but right now it somehow always feels like fiction pieces give off less real information than their non-fiction counterparts..

To this end, i got through about 0.5 of one of the harry potter books, before deciding that it wasnt for me (but still stood in the queue at midnight for the final book because Deels has always been nuts about it..)

Anyway.. Deels pointed me this weekend towards JKRowlings commencement speech at Harvard:[J.K. Rowling Speaks at Harvard Commencement : Harvard Magazine]

The speech is well worth the few minutes it will take to read/watch/listen to, and gives me new respect for the author.. -sigh- maybe ill pick up the philosophers stone tonight after all..