"Executive Summary Skein is a new family of cryptographic hash functions. Its design combines speed, security, simplicity, and a great deal of flexibility in a modular package that is easy to analyze. Skein is fast. Skein-512 -- our primary proposal -- hashes data at 6.1 clock cycles per byte on a 64-bit...
Article: Be aware of SOA application security issues
"Extensible Markup Language (XML), Web services, and service-oriented architecture (SOA) are the latest craze in the software development world. These buzzwords burn particularly bright in large enterprises with hundreds or thousands of systems that were developed independently. If these disparate systems can be made to work together using open standards, a tremendous...
Site News: We want to hear from you!
As some of you may have noticed I've expanded the news beyond purely technical articles/papers/advisories to security process as well. Rather than alienate many of you I'm asking what are the sorts of things you'd like to see posted more often? What do you care about most? - Advisories - Product Press...
Threat Models Improve Your Security Process
"This column proposes a way to think about secure design from a more holistic perspective by using threat models to drive your security engineering process, primarily helping you prioritize code review, fuzz testing, and attack surface analysis tasks. As a setup for this column, you might want to first read Jeremy Dallman's...
Agile SDL Streamline Security Practices For Agile Development
"In the September 2008 issue of MSDN Magazine, I wrote a column about the additions that Microsoft has made to the Security Development Lifecycle (SDL) process to address security vulnerabilities in online services. I talked about the importance of input validation and output encoding in order to prevent cross-site scripting attacks; about...
Microsoft's Stance on Banned APIs
Microsoft has a blog entry on their mentality/process on banning certain API calls to improve their software's security. "Jeremy Dallman here with a quick note about a code sanitizing tool we are making available to support one of the SDL requirements – Remove all Banned APIs from your code. This requirement was...
ICANN Terminates EstDomains Registrar Accreditation due to Fraud, Money Laundering Convictions
Gadi Evron posted the following link to the Full Disclosure list this morning which I thought was interesting. Read More: http://www.icann.org/correspondence/burnette-to-tsastsin-28oct08-en.pdf
Yahoo Security Flaw Fixed in hours
"Hours after Web analytics firm Netcraft (www.netcraft.com) announced a flaw on a Yahoo (www.yahoo.com) website used to steal users' authentication cookies to gain access to Yahoo accounts, such as Yahoo Mail, the company blocked entry to hackers. In an email message to theWHIR Monday, Yahoo's HotJobs division stated that the cross-site scripting...
Identifying browsed pages behind SSL via packet size monitoring
The following article was posted to The Web Security Mailing List earlier today. "Recently, the world saw The Pirate Bay offering SSL encryption on their server. This means that your ISP won't know anymore which torrent you are downloading, right? Wrong. HTTPS is quite useless for protecting static and public content. By...
Why Microsoft's SDL Missed MS08-067 in their own words
"No doubt you are aware of the out-of-band security bulletin issued by the Microsoft Security Response Center today, and like all security vulnerabilities, this is a vulnerability we can learn from and, if necessary, can use to shape future versions of the Security Development Lifecycle (SDL). Before I get into some of...
Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild
The Patch: Microsoft has released the patch to windows update. Details: "This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an...
What videogames teach us about security
Forbes has an interesting interview with Gary McGraw on how computer games provide insight into the motives and mindset of an attacker. "What problem do these trust boundaries pose? In this case, the gamer is the attacker and what they're doing is cheating in the virtual world to generate wealth that they...
Wireshark 1.0.4 Released
A new version of Wireshark (Ethereal) has been released to address multiple security issues. "Impact It may be possible to make Wireshark crash by injecting a series of malformed packets onto the wire or by convincing someone to read a malformed packet trace file. Resolution Upgrade to Wireshark 1.0.4 or later. Due...
My Trip To Microsoft's Bluehat Conference
Last week I attended Microsoft's Bluehat conference for the first time and found the experience to be pretty positive. Here are a few highlights New Tools Announced - Microsoft Threat Modeling tool v3.1 RC2 (Public release date: unknown) - CSSH is a CSS history theft tool combining a crawler to enumerate the...
Load Jacking latest buzzword
I hate promoting new buzzwords but found this one amusing. "So what do you do when you’re a couple of bored Russian immigrants with some cool hacking skills and you want to make some money the easy way? Well, if you are Nicholas Lakes and Vaiachelav Berkovich you set yourself up as...
Silverlight 2 Released
From the asp.net blog. "Today we shipped the final release of Silverlight 2. You can download Silverlight 2, as well the Visual Studio 2008 and Expression Blend 2 tool support to target it, here. Cross Platform / Cross Browser .NET Development Silverlight 2 is a cross-platform browser plugin that enables rich media...
OWASP European Summit 2008 is November 3-7 in Portugal
Matthew Chalmers submitted the following news. "With the theme "Setting the AppSec Agenda for 2009" the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a...
Dave Aitel on Static Analysis Tools
Dave Aitel has posted to dailydave with his thoughts on Static Analysis Industry. From his email "So OWASP was dominated by lots of talk from and about static code analysis tools. I wandered around with a friend of mine at the various booths (CodeSecure [1], Fortify[2], IBM AppScan[3], Ounce Labs) and tried...
Uninformed Journal Release Announcement: Volume 10
Uninformed is pleased to announce the release of its 10th volume which is composed of 4 articles: Engineering in Reverse - Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS Author: Skywing - Using dual-mappings to evade automated unpackers Author: skape Exploitation Technology - Analyzing local privilege escalations...
Reviews: Security scans with OpenVAS
" As important as security is, remaining current with every development is hard, and evaluating possible vulnerabilities across a network can be quite a chore. You need a way to both automate tests and make sure you're running the most appropriate and up-to-date tests. Open Vulnerability Assessment System (OpenVAS) is a network...
Recovering Censored Text Using Photoshop and JavaScript
"A friend recently posted a teaser for a new project he’s working on, but with part of the headline pixelated to obscure what the project actually is. My curiosity got the best of me and I decided to do what any self-respecting geek would do: write a program to figure out what...
Details of Clickjacking Attack Revealed With Online Spying Demo
"A researcher has “hacked” the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works. Details of the dangerous clickjacking attack have been closely held by the two researchers who discovered it -- Jeremiah Grossman and Robert “RSnake” Hansen -- at the request of Adobe,...
CGISecurity Interview: Jeremiah Grossman provides more details on clickjacking attack
UPDATE: There is a discussion on The Web Security Mailing List discussing possible solutions. Little information has been provided on ClickJacking so I decided to go digging a little bit and talk to the source to find out some additional information. Here's my interview with Jeremiah Grossman on Friday October 3rd. How...
R.I.P. Captcha's: Gmail, Hotmail, Etc...
XRumer was recently released putting another nail in the CAPTCHA Coffin. "The decline in CAPTCHA efficacy has been an ongoing story in 2008, as hackers and malware authors have steadily found ways to chip away at the protection these security practices were once thought to offer. Now, new findings indicate that both...
PHP 5.3 and Delayed Cross Site Request Forgeries/Hijacking
"Although PHP 5.3 is still in alpha stage and certain features like the PHAR extension or the whole namespace support are still topics of endless discussions it already contains smaller changes that could improve the security of PHP applications a lot. One of these small changes is the introduction of a new...
Fyodor speculates on new TCP Flaw
Fyoder (the author of nmap if you've been sleeping under a rock) has posted a write up on the recent TCP Dos flaw. UPDATE: According to a post by Robert Lee this isn't the issue. "Robert Lee and Jack Louis recently went public claiming to have discovered a new and devastating denial...
Kevin Mitnick Detained in Atlanta for having computer equipment on flight
If you know me you know I don't like Atlanta and have many reasons (which I won't go into here). I have another one to add to this list after reading a story about Kevin Mitnick being detained for having lots of computer equipment with him. "In his luggage, they found a...