| |
Current Topic: Technology |
|
Topic: Technology |
12:40 pm EST, Dec 4, 2007 |
Sweet, sweet flash vuln analysis SWFIntruder |
|
Oops! PayPal Security Key fails |
|
|
Topic: Technology |
11:04 am EST, Dec 4, 2007 |
When eBay rolled out the PayPal Security Key earlier this year, its executives hailed it as an important measure that would make users more secure. And it was. By generating a random, six-digit number every 30 seconds that users needed to authenticate themselves online, the small electronic token provided an additional layer of protection against phishers and other online criminals.
Yey Two Factor Auth! But according to Chris Romero, an IT administrator who has used the Security Key for several months now, a bug could allow phishers and others with bad intent to work around the measure. When accessing his PayPal account from merchant sites and other third-party destinations, he says, his account is validated when he types in any six-digit number, as long as he provides a valid user id and password and answers an accompanying security question.
Oops! Not good. And now for the money shot! Update The aforementioned spokeswoman said on Thursday that over the past 24 hours PayPal security people are now able to reproduce the bug and are working on a fix. As we noted above, she said the flaw shouldn't be regarded as significant security risk because users are still required to enter a password and enter a security question
Are you kidding me? Your two factor auth isn't two factor anymore! The whole point is stealing someone's password doesn't grant access to the account because the attacker must also physically possess something. Only PayPal messed up and you don't need to possess anything. That is a radical backstep in security and some silly marketing chick is telling people its not an issue? Are you kidding me? Is that PayPal's official position? WOW! Just... WOW. Oops! PayPal Security Key fails |
|
Topic: Technology |
3:57 pm EST, Dec 2, 2007 |
Wow, the world is an amazing place. I was amused when industry veterans purchased Google ads words on my name, but you know you have really made it when someone posts spoofs a mail to Full Disclosure pretending to be you! A couple things: -SPI Dynamics (sadly) ceased to exist on August 1st. -I don't use the Billy @ SPI email address any more, and it will start bouncing soon -I'm actually not lead researcher anymore. I got promoted and I run the web security research group :-) -This video looks like something my partner in crime Virgil would send me. Bravo though, while this is a fairly intricate post it sadly is not true. If I did something like that, it would be under a Roman sounding name in a 2600 article :-). Besides, there are too many manual web application pen-testing frameworks as-is. I have little to add the work that far smarter people have done. Web Beam! Oh yeah |
|
PlayStation 3 to Crack Passwords |
|
|
Topic: Technology |
4:22 pm EST, Nov 29, 2007 |
Using a PS3, a senior security consultant has come up with a way to drastically increase the processing capability of cracking passwords. Nick Breese, a senior security consultant at Auckland-based Security-assessment.com, has come up with a way to drastically increase the processing capability of cracking passwords, using a PS3. By implementing common ciphers and hash functions using vector computing, Breese has pushed the current upper limit of 10--15 million cycles per second -- in Intel-based architecture -- up to 1.4 billion cycles per second. Breese, who has been working on the project, called "Crackstation", for the past six months, used the Sony PlayStation 3 gaming console for his break-through research. Breese says the initial reason for embarking on the research project was to get the company to buy him a PS3.
This is exactly why Bryan and I hacked the iPhone , only Caleb got to keep the phone :-( PlayStation 3 to Crack Passwords |
|
ASP.NETRegEx Validators fail open? WTF? |
|
|
Topic: Technology |
3:26 pm EST, Nov 20, 2007 |
RegEx Validators are handy for implementing Whitelist input validation so it pays to see what they actually do under the covers.
try
{
Match match = Regex.Match(controlValidationValue,
this.ValidationExpression);
return ((match.Success && (match.Index == 0))
&& (match.Length == controlValidationValue.Length));
}
catch
{
return true;
}
A final thing that caught my eye was the try ... catch ... block. If the Regex.Match() call throws an exception, the validator returns true indicting the input is safe. This means in event of an error, the validator fails open instead of failing closed! Deciding when applications/appliances/software/hardware/structures should fail open or fail closed is way beyond the scope of this post and the answer is almost always circumstantial based on the individual situations. Quick, should firewalls fail open or closed? Fail open? Well then an attacker knocks out your firewalls and its open seasons on the FTP servers and Samba shares inside your organization. Fail closed? Thats a nifty DoS you built into your network infrastructure now isn't it? when should input validation fail open or fail closed? Again depend, but my gut tells me it should fail closed more often than it fails open.
More web sec people read Memestreams than read the SPI Labs blog. I'm not really sure what to make of that. :-) ASP.NETRegEx Validators fail open? WTF? |
|
Jesse James Garett: Buy Ajax Security Book |
|
|
Topic: Technology |
10:54 am EDT, Oct 31, 2007 |
"Ajax Security is a remarkably rigorous and thorough examination of an underexplored subject. Every Ajax engineer needs to have the knowledge contained in this book - or be able to explain why they don't." -- Jesse James Garrett, Father of Ajax
Best. Praise Quote. Ever. Jesse James Garett: Buy Ajax Security Book |
|
W3af: Web Application Attack and Audit Framework |
|
|
Topic: Technology |
11:19 am EDT, Oct 19, 2007 |
Caleb and I joke that the conference talk we most want to give, but (for various legal reasons) will never be able to give, is how to write a modern web scanner. This architecture looks a lot like what we would discuss. But, as always, there are things that are essential that it fails to address (so far) -Manual JavaScript? Can a brother get some Spidermonkey? -Captcha? -Flash? Anyone? -Two factor? I need to take this for a spin. Multiple threads, authentication, log out detection, URL aliasing, transparent proxies, load balancers, and thread management are either not mentioned or are *way* too glossed over in the presentation. These are things people think are easy that become Hard Problems(tm) when scaling to enterprise environments. If you are fingerprinting with HTTPrint you have a lot to learn. The nod to client-side static analysis of code was nice and sounded very familiar... [looks at open Visual Studio currently in debugging]... very familiar indeed... Keep your eye on this project. W3af: Web Application Attack and Audit Framework |
|
Why I'm going to Phreaknic |
|
|
Topic: Technology |
1:30 pm EDT, Oct 15, 2007 |
PhreakNIC 0x0b PhreakNIC is an annual gathering in Nashville, TN, for hackers, makers, security professionals, and general technology enthusiasts. Hours upon hours of both informative and entertaining presentations are given by volunteers and many areas are set up with the intent of encouraging socialization. In our 11th year, we are now the longest running non-commercial hacker convention in the United States.* PhreakNIC is organized by the Nashville 2600 Organization, which is a 501(c)(3) tax deductible charity. However, it takes many resources to organize, and help is given to PhreakNIC by other 2600 groups in the South East United States, as well as the Nashville Linux Users Group. Our thanks go out to all who contribute.
Phreaknic is this weekend in Nashville. If you have never been to Phreaknic before, or a hacking conference, or are getting burned out on some of the other security conferences I encourage you to make the drive to Nashville and come see the show. I've gone for the last 5 years and it is, without a doubt, my favorite small conference. I love going to Phreaknic because: Its a hacker conference Let face it, when you are eating freshly sliced roast beef and drinking at a open bar on Microsoft's tab, you are not at a hacker conference. There is a certain air of authenticity about a conference room full of ugly gray towers covered in peeling stickers with CRT monitors lighting the faces of a group of people huddled around it, typing excitedly on a keyboard. I sure love me my big east and big west cost cons, but most of them replaced this feeling long ago with sponsor tables and free bottled water. And there is something a little sad about that. It's small. This is good for many reason. First, you can easily meet up with people which is the big reason I go to cons. The speaker rooms aren't all over the place. Lunch trains don't end up being 20+ people. I'm not standing on a stage in front of 400 people with a good 30 feet between be and the front row. I don't have blinding lights in my eyes. I can see the crowd. I can talk with them, not at them. It's cheap I haven't paid to attend a hacker conference, in, well, I can't think of a time. However I do remember being a poor college student saving money so I could fly to NYC for Hope or to San Diego for Toorcon. I remember Tom or Mike or Matt giving me a place to crash on floors and couches and flea bag motels. I remember being poor and getting poorer to go to a conference. Phreaknic's price doesn't prohibit the smart (but poor) from attending and expanding their horizons and they should be saluted for that. There is one track I don't have to sacrifice one talk to see another. And if I happen to miss a talk, I can always find the speaker and chat with them. Plus, all the talks are broadcast live over the hotel's TV system into every room. Speaker Love... [ Read More (0.2k in body) ] Why I'm going to Phreaknic |
|
And you thought O'Hare was a bad name... |
|
|
Topic: Technology |
9:30 am EDT, Oct 10, 2007 |
School: Did you really name your son Robert'); Drop Table Students;--? Mom: Oh. Yes. Little Bobby Tables we call him School: Well, we've lost this year's student records. I hope your happy. Mom: and I hope you've learned to sanitize your database inputs. HAHAHA! Sweet. To be fair, you shouldn't sanitize user input, you should validate it. update 10/11/07: Someone posted this to the webappsec mailing list. And you thought O'Hare was a bad name... |
|
Topic: Technology |
2:05 pm EDT, Oct 8, 2007 |
When you give a chef a recipe, you have certain assumptions. Sure there might not be resources to fully bake the cake, but you assume that their oven and mixer are working. How can you ever hope to cook a cake successfully when your oven isn't even working? [sigh]... If only I were talking about cake. At least with under-cooked cake you can eat the batter. |
|