Blackhat
Sensepost Training in November
Our next scheduled training sessions have been planned for November. If you’re interested in attending, the dates and locations are:
1) HBN Bootcamp Edition 7-9th November, BlackHat Abu Dhabi
‘Hacking By Numbers – Bootcamp Edition‘ is our ‘introduction to hacking’ course. It is strongly method-based and emphasizes structure, approach and thinking over tools and tricks. The course is popular with beginners, who gain their first view into the world of hacking, and experts, who appreciate the sound, structured approach.
Memcached talk update
Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days. The attention is quite astounding given the relative lack of technical sexiness to this; explanations for the interest are welcome!
We wanted to highlight a few points that didn’t make the slides but were mentioned in the talk:
Bit.ly and GoWalla repaired the flaws extremely quickly, prior to the talk. PBS didn’t get back to us. GlobWorld is in beta and isn’t publicly available yet. For those blaming admins or developers, I think the criticism is overly harsh (certainly I’m not much of a dev as the “go-derper” source will show). The issues we found were in cloud-based systems and an important differentiating factor between deploying apps on local systems as opposed to in the cloud is that developers become responsible for security issues that were never within their job descriptions; network-level security is oftentimes a foreign language to developers who are more familiar with app-level controls. With cloud deployments (such as those found in small startups without dedicated network-security people) the devs have to figure all this out.
BlackHat Write-up: go-derper and mining memcaches
[Update: Disclosure and other points discussed in a little more detail here.]
Why memcached? At BlackHat USA last year we spoke about attacking cloud systems, while the thinking was broadly applicable, we focused on specific providers (overview). This year, we continued in the same vein except we focused on a particular piece of software used in numerous large-scale application including many cloud services. In the realm of “software that enables cloud services”, there appears to be a handful of “go to” applications that are consistently re-used, and it’s curious that a security practitioner’s perspective has not as yet been applied to them (disclaimer: I’m not aware of parallel work).
Go-derper: mining your memcacheds
Today at BlackHat USA 2010 we released a tool for manipulating memcached instances; we still need to write it up properly but here’s a link to the tool for the moment.
tl;dr: if you find a memcached, you can dump the cache and manipulate entries in the cache.
SensePost’s Training @ Black Hat Vegas ’10 (win something)
After hearing our talk was accepted at BlackHat, we’re happy to announce that our training will be back for it’s 9th straight run. Speaking of a run, we’re going to be hosting the usual marathon of courses: cadet, bootcamp, combat, web 2.0. But, while the names remain, we’ve spent some time updating the material. In particular, bootcamp, combat & web 2.0 have been through the ringer. We’re hoping to get some detailed info on the updates out in the coming weeks.
SensePost at BlackHat USA 2010
A brief update from South Africa on some recent talks as well as the upcoming BH USA: our talk proposal has been accepted for BH USA 2010 which makes it the ninth year running that SensePost is talking in Las Vegas. One more and we qualify for free milkshakes at the Peppermill. This year we’ll be discussing caching in large scale web apps and why exposing caches to the interwebs is a Very Bad Thing. We’ll also be looking at caching services, an idea whose time should never come.
Prev
Page 5 of 5