Archive for December, 2008

Expediency in patches/fixes/knowledge

Tuesday, December 16th, 2008

Everyone knows that there are vunlerabilities from time to time and you should upgrade things like wordpress, windows, osx and other pieces of software commonly used by lots of people. One thing that people don’t take into account is the actual times and dates of the proof of concept (POC), subsequent weaponization of the exploit (if it came from a nefarious source) then the vendors patch and announcement (if they even notice or care).
Lets take the most recent exploit that came out for internet explorer as our example. The first easily referencable date I could find for this exploit.

Thats right – Four days from POC to “publically downloadable and available for anybody to use“.

The day I’m writing this post (Monday Night, Dec 16) The microsoft investigation page still says they’re investigating. If they have any sense tomorrows ‘patch tuesday’ security patch should contain a fix.

That being said – It’s been a week and there is no patch. What does that mean for the end user, CEO, Marketing folks, Sales people, Graphic Artists and other people who arent focused on security all the time?

  • Everyone running IE7 in your enterprise/company/network is vulnerable (and still is, as of Dec 15)
  • If this is exploited there is a fair chance that nobody will know until there is a patch, or the antivirus vendors catch up.
  • If this is exploited on 0-day, then an attacker has been in your network FOR A WEEK ALREADY.
  • Once the fix comes out the hole is patched..
  • But it’s very likely entirely separate attacks were used once IE7 was exploited, so applying the patch to fix IE7 won’t fix any damage the attacker has done

Not everyone has to be security concious all the time. For that theres people like us!
Heres something I see every day: The list of new exploits that come out on milw0rm.com (which is just one of the many sites that exist for publishing known exploits):

Look at the third one down on Dec 15 :)

Tags: , , ,
Posted in insight, review | 2 Comments »

Log Auditing for fun and profit

Tuesday, December 9th, 2008

Again I find myself in a postion where I am in need of full time work. I was able to sustain myself as a full time freelancer for 8 months (not too shabby!), but now it seems the market is drying up and while not for a lack of effort on my part to find sales people or to promote myself by basically bribing people with a 10% commission I’ve not been able to get enough business to sustain myself any longer. I’ll not go into any of the nasty business of clients who decided they didn’t feel like paying me, or clients that had me draw up proposals only to vanish into the ether – because this post is about fun stuff!

All that being said – I like to be clever. I like to use ingenuity to do basically what everyone else does but put a fancy little twist on it. Historically when someone is looking for a job, they will hit some job search sites like monster and dice and then send their resume to people – never knowing if it gets seen with human eyes, or ever gets any attention. Who knows? Does your resume even get read? If it does, how soon? Wouldnt it be nice to see the time correlation between when you sent your resume to someone and when they actually looked at it – or even if they looked at it at all?

(more…)

Tags: , , , , , , , ,
Posted in insight, training | No Comments »

Security101, but better!

Monday, December 1st, 2008

A friend of mine, Damon (@dacort) recently put together a formal class to illustrate some of the vulnerabilities he’s found.

This class was geared more towards php and rails rather than a sort of ‘introduction to personal security’, and went over things like cross site scripting, cross site request forgery, sql injection, and using really neat tools that I didn’t know about to enumerate databases behind vulnerable web apps.

REALLY REALLY neat stuff. If you’ve been to any of my talks, you should watch Damons.

He can be found over at startupsecurity.info

StartPad Countdown 2 – Startup Security: Hacking and Compliance in a Web 2.0 World

View SlideShare presentation

Posted in Uncategorized | No Comments »