September 26, 2011

Poor SSL. It’s been the standard for so long, but it’s had a rough go of it the last few months. First there were the breaches at Comodo and Diginotar, allowing intruders to generate seemingly-authentic certs to trick users, and now this.

In particular, security researchers Juliano Rizzo and Thai Duong have built a tool that’s capable of decrypting and obtaining the authentication tokens and cookies used in many websites’ HTTPS requests. “Our exploit abuses a vulnerability present in the SSL/TLS implementation of major Web browsers at the time of writing,” they said.

To illustrate the vulnerability they’ve discovered and automatically harvest authentication tokens and cookies, the researchers said they’ve also built a JavaScript-based tool dubbed BEAST, for Browser Exploit Against SSL/TLS. “It is worth noting that the vulnerability that BEAST exploits has been [present] since the very first version of SSL. Most people in the crypto and security community have concluded that it is non-exploitable, that’s why it has been largely ignored for many years,” Duong told Threatpost.


Rank My Hack

August 31, 2011

The world of hacking has always been one built on boasting and prestige – but now it’s official. A new leaderboard at is tracking live exploits, awarding points based on complexity and skill, and hoping to become the definitive ranking system for the computer underground.

Someone who cracked is at the top of the list. Impressive stuff.

Apache Killer

August 25, 2011

A new Apache denial-of-service tool, named “Apache Killer”, has been posted on Full Disclosure and usage has been observed in the wild. Both the 1.3 and 2.0 codebases are affected – the Apache project says that a patch is upcoming. More details at the link.


PIN Harvesting

August 22, 2011

Sure, if you want to steal someone’s ATM PIN, you can shoulder-surf it, or use a pinhole camera, or even compromise the ATM itself. But why bother when a thermal camera is so much easier?


August 17, 2011

A new piece of Android software, which installs itself as “Google++”, is a true bundle of joy. Not only does it steal data from the phone, it is also capable of answering phone calls from a predetermined number (after setting the handset to silent and turning on the speakerphone) to allow the attacker to eavesdrop on the surrounding environment.

Much as I chafe at the restrictive nature of the Apple App Store, it really is a model that makes sense for an appliance like a phone. It’s nice to have the added flexibility of a platform like Android, but it also imports all of the security problems of a general computing device along with the capabilities.


August 15, 2011

The SIFT Workstation forensic toolkit is a freely available set of tools for forensic analysis of computers and networks. And it comes highly recommended.

Although the commercial tools maintain advantages over SIFT in some areas, the free SIFT tool exceeds the capabilities of the commercial tools in other areas. “Even if SIFT cost tens of thousands of dollars,” says, Alan Paller, director of research at SANS, “it would be a very competitive product.” At no cost, it should be part of the portfolio in every organization that has skilled forensics analysts.


August 3, 2011

Nearly four million pages have been infected with iframe exploits due to a hole in older versions of the osCommerce business software. If your own web site is using osCommerce, make sure that it is a patched, current version.

IPv6 Deployment

July 28, 2011

According to this survey from Network World, most IT departments plan on having their webservers and other externally-facing resources available via Internet Protocol v6 in the next 24 months. A majority of respondents also plan to have their internal networks running either v6 or dual-stack within the same timeframe.

Do you have a plan? If not, I’d say you’re already way behind schedule.

Battery Hack

July 27, 2011

Charlie Miller, a researcher with Accuvant Labs, has discovered an interesting new flaw in Apple’s software ecosystem. Their “Smart Battery System”, which monitors battery charging and power levels, can actually be compromised and the firmware reflashed, allowing an attacker to destroy a battery or perhaps even make it explode or catch fire.


Linux 3.0

July 22, 2011

Not strictly security related, but a huge technical news story today: version 3.0 of the Linux kernel has been released.

As a relative latecomer to Linux (I’ve only been running it on my personal machines for eight or ten years), I won’t be regaling anyone with stories of installing Slackware off of a stack of 3.08 x 1019 floppy disks or anything. But it is pretty amazing to think that, in twenty years, a grad student’s terminal emulator and toy kernel has turned into one of the most widely used operating systems on the planet.