2009
Comments have been broked :(
Comments on the blog have been suprisingly quiet and we should have realised this when more and more people started having discussions with us via twitter or email (as opposed to simply saying their piece here).
Short Story:
It was broken, and it should be fixed again. Blame has been assigned and culprits have been whipped appropriately.
Long Story:
Most SensePost’ers interact with the blog through our company-internal blog. This allows us to share top secret information like lolcats without publishing it here. Selected posts are pumped through to public via a plugin inside (which also publishes certain comments / etc).
Sensepost’s HBN Extended Edition course 11-15th May
We have scheduled our next training course, Hacking By Numbers – Extended Edition (Bootcamp) in May 11-15th .
The course runs for a full 5 days.
Overview The HBN ‘Extended Edition’ is simply an intensive extended version of the regular Bootcamp course. Whilst the content and structure are essentially the same as Bootcamp, the Extended Edition offer students a deeper understanding of the concepts being presented and affords them more time to practice the techniques being taught. Extended Edition is currently offered in Switzerland and South Africa only, or can be arranged on request.
reDuh reVisited…
We’ve had a number of issues with reDuh and the various server versions published. Some clients worked with some versions of the server, and didn’t play nicely with others.
I am happy to say that these have all been resolved now. The single reDuhClient now works with JSP, ASPX and PHP versions of reDuh. Its been tested on a number of different platforms.
Additionally, the new reDuh client supports some enhancements. These are:
Should InfoSec companies be betting on PCI ?
The United States committee on Homeland Security’s Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology recently held a hearing to determine if “the Payment Card Industry Data Standards Reduce Cybercrime?”
Risky Business played snippets of the hearing under the apt title: “Washington spanks PCI DSS” – Like most episodes of RB, its well worth the listen..
One of the “merchants” giving testimony made his point quite succinctly. The credit card companies require us to keep card details, and shift the burden of fraudulent transactions to the merchant. There are much better ways to handle transactions, but the current method is a cheap way for the CC vendors to shift the burden and the risk to the merchants who historically had no alternative.
#include fakeNewsStory.h
what? on April 1st???? Never!
Ranum Reloaded..
A little while back i commented on Marcus Ranums HiTB talk “Cyberwar is Bullshit!“. I ended the post with the words “Ranum is indeed much better than this..“. Ranum spoke recently at Source Boston, and his talk [The Anatomy of Security Disasters] indeed shows this is true..
If you are in the industry to make a quick buck, or because it beats flipping burgers at McD’s, you probably dont need to, but if you are involved with security decisions at any level, then you really should take a few minutes to digest his talk.
Hello World (With an LED)
Way back when i was a sysadmin, i recall reading a quote from one of the ATT greybeards who said something to the effect of “every competent sysadmin should be able to build his own network card”.
Of course most of us have spent tons of time ripping apart electronics and “watching what happens when you connect X and Y”, but unlike the electronic engineers with their oh-so-cool multi-meters ive never actually done any plc programming..
HBN Developer Edition Training
Hi All
We have scheduled our first Developer course for April in Pretoria, should you know of anyone in your area that would like to attend.
– Hacking by Numbers – Developer Edition (28-30th April)
Information about the course:
HBN – Developer Edition ‘Hacking By Numbers – Developer Edition’ is a course aimed at arming web application developers with knowledge of web application attack techniques currently being used in the ‘wild’ and how to combat them. Derived from our internationally acclaimed ‘Hacking By Numbers’ security training, this course focuses heavily on two questions: “What am I up against?” and “How can I protect my applications from attack?” During the course sample applications will be dissected to discover security related bugs hidden within the code. The class will then consider prevention, detection & cure.
!exploitable [Vuln finding freebie from MSFT]
Microsoft released !exploitable at CanSecWest this year. The debugger extension, and the accompanying slide deck can be found [here].
I have not looked at it, but a glance at the slides implies that they aim to solve the problem of too many dumps – not enough time..
Its pretty cool.. and that Microsoft is releasing this is even cooler..
Jack C. Louis: Jan 5, 1977 – March 14, 2009
Truly tragic. We are all poorer for it.. It really was an honor and a privilege to have known him..