Haroon Meer
Late BlackHat Update..
ok.. so im in my room finally catching up on sleep (or will be in a few minutes) while most people are finishing Microsofts booze at the PURE microsoft party.. BlackHat is over, which means tomorrow we are off to the riviera for defcon..
Marco and i got a lot of positive feedback from our talk, including from guys like rob auger of wasc fame and andrew bortz who we quote in our paper, so it was pretty cool.. all our demos went of smoothly (where one of them was using javascript (and timing) to create a distributed brute-forcing tool, which had every opportunity to go south) so we were happy..
BlackHat Progress Report
(always wanted to say that!)
2 SensePost Training sessions are over, and as i type The weekday sessions are at about 50%. Feedback so far has been pretty cool and its been fun to meet new people / bump into some old friends..
The next “biggie” on the horizon is Wednesdays talk.. We have had a fair bit of interest so far and even though the slot has some stiff competition its seems like all will be well :). The talk should be interesting to developers, pen-testers and even just people with a vague interest in see’ing cool stuff.. Marco has been adding functionality to “squeeza” like a demon and as it stands its probably the only SQL Injection tool i know that will allow (file downloads, arb sql queries, database mining) all purely in T-Sql over a variety of transport channels (dns, error messages, timing). We will post the link to it for download just before we talk..
BlackHat, DefCon, Las Vegas
Ok.. so the 2nd plane with SensePost’ers has touched down in LasVegas and the first cheeze-pizza from the caesars food court has been consumed.. So little changes in caesars that it always adds to the surreal feeling that lasts for the entire stay..
We will be in the training rooms over the weekend, and during the week, and will then give our bh-talk, before moving to defcon for the talk there..
in between, as usual its a chance to meet old friends, make new ones and get sun-burnt! Grab us if you see us, and we can grab coffee/beer/chocolate-milk..
-sigh- little things, little minds…
Deels stumbled on www.simpsonizeme.com to give me mh, the springfield edition..
Combine with your intranet mug-shots, and it could give you hours of lost productivity..
Google Cookies.. Finally a saner expiry date…
Google have finally revised their cookie expiration policy, which will have user cookies expiring after 2 years. (For those of you who think this is too long, it needs to be kept in mind that this used to be set to expire in 2038!).
Of course, the tin-foil hat wearers amongst us are going to find it difficult to convince the “keep-your-stinkin-privacy-i-want-my-15-minutes” facebook generation that privacy actually matters, but we can probably chalk this, and their earlier anouncement to sanitize search server logs after 18 months as a tiny victory..
Adam Shostack on Biometrics..
hmmm… i have heard this somewhere before….
” However, in cases where your finger is used to identify or authenticate you, it’s much harder to change your password. ”
/mh
VMWare Fusion, i love you not, i love you…
ok.. some of you in the office would have heard me whine when vmware fusion recently started taking my whole machine down occasionally. The joy of it being the whole machine is that ive lost my firefox profile, and managed to turf my osx preferences twice since this started happening..
Through meticulous checking i tracked down that the problem started “the day i blogged about how much i love vmware fusion”. i spent a lot of time wondering if i rm’d the post if it would fix the problem…
Have a (one) care sir….
Someone in the office was discussing Microsoft’s recent horrible foray into the anti-virus market. Apparently an online source held one-care as faring worse than a simple man with a perl script. A quick scan shows that they have indeed faired pretty poorly in independent tests:
“(BBC News) OneCare was the only failure among 17 anti-virus programs tested by the AV Comparatives organisation.”
Now the obvious question was: How could Microsoft possibly get it so wrong? (Cue the drum roll, bring out your tin foil hats)
Probably the best book dedication i have ever seen….
Richard Bejtlich didnt give the pre-release a glowing review but i know at least a few people waiting eagerly to get their hands on the new “Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene, and Pedram Amini“. Pedram is the mastermind behind Pai-Mei and started OpenRCE, but his last blog post points to the books dedication page, and it probably makes the book worth buying all on its own..
outstanding…
In Defense of Testing Pens… (aka how to keep your soul while being a pen-tester)
A short while back, a discussion broke out on a mailing list about the nature of being a pen-tester. The discussion quickly gravitated towards the number of “security” companies where numbers of projects far out-weigh the interestingness of projects, leading rapidly to a cookie-cutter mentality to pen-test engagements..
Of course if you have spent any time in the industry, you already know this to be true.. the obvious danger with this is that you have a lot of unhappy pen-testers giving shoddy output to (eventually) very unhappy customers. Sadly this soon follows the well published “market for lemons” problem where eventually due to information asymmetry, bad products will soon push out good ones.. i.e. because its hard for customers to tell the difference between good pen-tests and lame pen-tests, eventually the market price drops towards low grade pen-tests (since the customer is paying for what they expect) and at the low prices, good pen-test teams will close shop and move on to other lines of work..