In addition to CGISecurity I work on other side projects from time to time. Below is my second announcement from my latest project. Introduction I have built out several penetration testing programs, both internally and externally at companies such as eBay, Paypal, and Box to name a few. Before you have the...
Announcing SecTemplates.com and the incident response program pack 1.0
In addition to CGISecurity I work on other side projects from time to time. Below is an announcement about my latest project. Introduction I've worked in the security industry for over 20 years and, during this time, have built and shaped many security programs. At every company I join, I find myself...
My experience coleading purple team
I've been fortunate enough to manage a red team program for several years and since it's inception it has gone through many changes. What started out as adhoc engagements trying to see how far we could get/what problems we could find, turned into a mechanism to work more closely, and regularly with...
Presentation: Problems you'll face when building a software security program
A video for a talk I gave at LASCON last year made it online that some folks may find interesting. I rarely give public talks, but felt this information would have been useful to learn earlier in my career. Basically it goes through problems I've had to deal with building out appsec...
Google's intentions are good, but implementation leave MORE users vulnerable to hacking than before
In 2010 I wrote an article about a flaw Google discovered, and published working exploit code when no fix or mitigation existed. This allowed attackers to immediately start using the flaw to hack Google's own users (in this case, the world). Since then Google has announced a new program 'Project Zero' which...
My experience with developer security training
I've been busy this past year which has resulted in almost no updates to this site. Consider this one of many rants/posts of my experience/s in the industry during this time. This post covers a topic I think many people implement poorly, which is security training targeting developers. How most people implement...
A reminder that what you say at events may show up in unexpected places (like the news)
Last week I was fortunate enough to be invited to a Yahoo event discussing bug bounty programs where all the organizers of these bounties were discussing their experiences. I attended this conference because years earlier I was involved in creating PayPal's bug bounty program and wanted to ask a panel of people...
Malicious CA's continue to cause headaches
Google published today that yet another CA has been caught generating certs for Google's domains. This problem is likely occuring on a much larger scale and seems to be detected by chance. Some have suggested crawling the internet and starting a DB, and while this may detect some issues it's limited for...
Five pieces of advice for those new to the infosec industry
I've worked in the security field in various roles (script kiddie, security researcher, incident response, application security engineer, security consultant, strategy, etc..) and thought I'd share a few points to those of you starting out in the security industry. Things are worse than you expect The reality is that companies, even large...
Security Industry Plagiarism: Finding 3 examples in 5 minutes with Google
UPDATE: One of the authors has posted two responses including an apology (accepted). I was taught in grade school that if you plan on writing something, never plagiarize. If you want to republish portions of existing content ensure you properly quote/reference them, and never represent this content as your own original work....
How not to publish SCADA security advisories
"Luigi Auriemma" has posted an interesting series of SCADA vulnerabilities to the bugtraq security list this morning. From his email "The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment. In case someone doesn't...
Easy Method For Detecting Caching Proxies
While thinking about some of the transparent proxy problems I came up with a fairly reliable way to detect caching proxies. Caching proxies can be either explicit or transparent, but are typically used in a transparent mode by an ISP to cut down on upstream bandwidth. A side effect (and benefit :)...
CGISecurity Turns 10!: Summary of the more interesting site posts throughout the years
To commemorate this site turning 10 I've created a list of my top 10 thought provoking/innovate posts that people who haven't been following this site may be unaware of. The Cross-site Scripting FAQ (2001) In 2001 someone informed me of this new threat involving the injection of HTML/Javascript into a site's response...
CGISecurity.com Turns 10!: A short appsec history of the last decade
Ten years ago today I started cgisecurity.com to fill a void in the application security space. At the time no other dedicated site existed, neither OWASP nor WASC had been created, and the www-mobile list was effectively the only place to discuss web related vulns and attacks . When I first started...
Why publishing exploit code is *generally* a bad idea if you're paid to protect
Update2: Further proof that people are abusing this in a wide scale and likely wouldn't have had the exploit code not been released. Update: I've clarified a few points and added a few others. Recently Tavis Ormandy (a google employee) discovered a security issue in windows, and days after notifying Microsoft published...
Random FireFox URL handling Behavior
About a year ago I discovered this by accident and hadn't seen it published anywhere so thought it was worth mentioning. If you enter the following into the firefox URL bar it will follow them to www.cnn.com. [http://www.cnn.com] [http://]www.cnn.com [http://www].cnn.com Etc... You can also substitute [] for {} or " and it...
Larry Suto Web Application Security Scanner Comparison Report Inaccurate Vendors Say
Larry Suto published a report comparing the various commercial web application security scanners. As you'd expect the vendors are likely to respond about how inaccurate the report is, however in this case both HP and Acunetix argued valid points. From Acunetix "They were not found because Larry didn’t authenticated our scanner (didn’t...
Threat Classification v2 and the need for change
As I recently posted the WASC Threat Classification v2 is currently in a public working state and there's been a buzz on the mailing lists about it compared to other related projects. Vishal Garg posed a question I was expecting for awhile which is why does the TCv2 look so much different...
Blackhat 2006 RSS Security Talk Video Available
In 2006 I gave a talk on hacking RSS feeds, and feed readers. I stumbled upon the video for blackhat 2006 by accident the other day and thought it was worth posting. Video: http://media.blackhat.com/bh-usa-06/video/2006_BlackHat_Vegas-V36-Auger_and_Sima-0day_subscriptions.mp4 Slides: http://www.cgisecurity.com/papers/RSS-Security.ppt Paper: http://www.cgisecurity.com/papers/HackingFeeds.pdf
Socket Capable Browser Plug-ins Result In Transparent Proxy Abuse
For over a year in my spare time I've been working on a abuse case against transparent proxies at my employer, and have just released my latest paper '"Socket Capable Browser Plugins Result In Transparent Proxy Abuse". When certain transparent proxy architectures are in use an attacker can achieve a partial Same...
Application Security Vendors Need Help With Reporting
I've been reading web application vulnerability reports from tools and services for 6-7 years and found that 99% of these reports are geared towards security engineers or system administrators. Many of the reports I see focus on The type of flaw and what it its impact is The URL affected Links to...
The security industry needs to re-align its training expectations for QA
I've been involved in the security community for over 10 years and have worked for small, medium, and large companies. I have also worked in Quality Assurance and base my comments here on my experiences being a QA tester, and speaking with them as an outsider. I've seen advice in articles, and...
Rant: Mac user's security arrogance clouds common sense
F-Secure has posted the following blog entry at securityfocus. "There has been a lot of talk (link 1, link 2, link 3) during the last few days about a support article that seemingly appeared on the Apple website. In the article, Apple advised users to install an anti-virus software to make sure...
Fyodor speculates on new TCP Flaw
Fyoder (the author of nmap if you've been sleeping under a rock) has posted a write up on the recent TCP Dos flaw. UPDATE: According to a post by Robert Lee this isn't the issue. "Robert Lee and Jack Louis recently went public claiming to have discovered a new and devastating denial...
Researchers from Princeton University Publish vulnerabilities in unpatched sites
Yesterday a couple of 'researchers' published that a couple of major sites were vulnerable to CSRF. A general rule of thumb is that unless you are explicitly protecting against CSRF, or are accidentally protected, then you're vulnerable. CSRF in 2008 is what XSS was in 2002, somewhat understood and rarely protected against...
The Palin Hack: Why most question recovery systems suck
Motley fool wrote an article blaming Yahoo! for the Palin Hack. Computerworld has pointed out Gmail, Yahoo, and Hotmail as being vulnerable as well. To be clear any site supporting answering of common questions as a way to restore account access is vulnerable. The issue is not that these sites are vulnerable...
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud
Intro The following describes a long-standing and common implementation flaw in online affiliate programs allowing for fraud. For those unfamiliar with affiliate programs, they provide a way for companies to allow 3rd parties/website owners to direct traffic to their site in exchange for a share of the profits of user purchases. Most...
Utilization of the same credentials across various sites
For years people have been getting their online accounts compromised due to phishing as well as via brute force attacks due to poorly chosen passwords. We also know that people tend to share the same credentials across multiple sites however I haven't seen any concrete research/metrics on how commonplace this is or...
DNS Vulnerability Leaked By Matasano Security After Being Asked Not To By Vulnerability Discoverer
"Two weeks ago, when security researcher Dan Kaminsky announced a devastating flaw in the internet's address lookup system, he took the unusual step of admonishing his peers not to publicly speculate on the specifics. The concern, he said, was that online discussions about how the vulnerability worked could teach black hat hackers...
GRSecurity Author Outlines Lack of Full Vulnerability Disclosure by Linux Kernel Developers
From the 'If you don't know, now you know, !@#$!' department The following email was sent to the full disclosure mailing list today by Brad Spengler, the author of GRSecurity. "I doubt many of you are following the "discussions" (if they can be called that) that have been going on on LWN...
My current stance on Web Application Firewalls
Andre Gironda has posted an interesting take on 'what web application security really is'. I agree with some of his points however one in particular I'm going to have to disagree with and that related to using Web application firewalls. For many years I've been anti Web application firewall and as a...
How NOT to handle finding vulnerabilities at your company
UPDATED Link to Steve's interview with CrYpTiC_MauleR added below. At first I wasn't going to post about this but since it doesn't seem to be dying I will. Long story short 1. A Low level techie finds weaknesses/vulnerabilities at the company he works for (TJX) 2. ?He reports these issues to who...
Bots Use SQL Injection Tool in Web Attack and Rant
"The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with...
Bruce Schneier rants about 1984
"Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced. Data collection in Nineteen Eighty-Four was deliberate; today's is inadvertent. In the information...
Getting to see an enigma machine at RSA 2008
My week at RSA has been fairly interesting. One of the highlights was getting to see an enigma at the NSA booth. Here is a short video I made of the NSA Museum employee explaining how it works.
Calling all Web Hacks of 2007
Jeremiah Grossman, Rsnakez0r, and myself put together a top web hacks of 2006 last year and this year we're soliciting public participation to submit what you think made the list for 2007. From Jeremiah's blog "As RSnake, Robert Auger, and I released in 2006, we’ll be putting together a Top 10 Web...
Browser Security: I Want A Website Active Content Policy File Standard!
UPDATE Before reading on any further I want to prefix that the purpose of this post is to begin a discussion on the ways a website can communicate to a browser to instruct it of what its behavior should be on that site. The example below is a "sample implementation" and isn't...
5 amusing security vendor moments
This list was created based off of real security vendor interactions that I and a friend have experienced. 1.Customer: Have you had a security evaluation of your product? Vendor: Yes, Kevin Mitnick has performed a pen test against our product. (sorry kevin! :) 2. The vendor comes to your office and pitches...
Cenzic Patent Case Worries Web Researchers, Vendors
"A patent infringement lawsuit recently filed by Cenzic against SPI Dynamics has Web application security companies and researchers on edge. If successful, the suit -- which centers around Cenzic's patent on a Web application vulnerability scanning technology -- could mean trouble for other scanner vendors, as well as researchers who develop scanning...
My experience at blackhat/defcon
Vegas was interesting this year to say the least. For starters I finally got to attend NOT as a vendor which I gotta say was pretty nice. Here are the talks I attended. Intranet Invasion With Anti-DNS Pinning It's All About The Timing Tactical Exploitation (Part 1) Dangling Pointer IsGameOver(), anyone? The...
Rant: Security 2.0 and Ethics 0.2 Beta
UPDATE: There is a thread on the slackers forum talking about this below if you want to join in on the conversation. FX from Phenoelit has posted an interesting rant on the ethics and hype in the security industry. "The Web 2.0 has all the potential for the next big wave of...
Cenzic Patents the obvious: Fault Injection!
I monitor google news for anything application security related and found the following announced today by Cenzic. "the U.S. Patent and Trademark Office (PTO) has issued the company U.S. Patent No. 7,185,232, focused on fault injection technology, which is commonly used by most security assessment scanners." - Cenzic Cenzic is not the...
A black market for search terms and user interests?
<thinking-out-loud> Google has recently added search history and this got me thinking about how this information could be useful. Currently gmail is linked to all of google and if you search for something while logged into google and have search history turned on, it gets recorded. Now you have data on what...
Top 10 Web Hacks of 2006
I assisted Jeremiah Grossman and Rsnake in compiling a list of application security issues in the year 2006 that can be found on Jeremiah's blog. That is all.
Top 5 signs you've selected a bad web application package
5. The vendor's idea of a patch process involves you editing line X and replacing it with new code 4. The amount of total downloads is less than the application's age 3. It isn't running on the vendors homepage 2. The readme file states that you need to chmod a certain file...
More fun with CSS history
There's been a big fuss that with CSS you can identify if someone has visited a certain link. I started to think about expanding this and came up with a neat little trick you can do involving online advertising. You run www.sitea.com and www.siteb.com and www.sitec.com are competitors of yours. Now you...
ALERT: Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability Discovered
CERT has issued a warning against a new web based threat entitled a "Cross HTTP Response Splitting Session Fixation Smuggling Scripting Vulnerability". According to the founder of DSHIELD Johannes Ullrich "If on April 1st you have specific non default settings in Internet Explorer, visit a serious of 4 specific websites in order...
Application Security Predictions For The Year 2006
In 2005 published application security vulnerabilities have exploded. If you're subscribed to mailing lists such as bugtraq you know just how often Cross Site Scripting, SQL Injection, or Remote Command Execution vulnerabilities are discovered and exploited. I've prepared a prediction outline for the year 2006 exclusively covering the threats that the web...
OWASP vs WASC
CMP Media has written a nice comparison chart between WASC (an organization I co founded :) and OWASP. While I may not agree with everything in this article, it does clearly outline a few key points between the two organizations. However I *don't* agree with the following: "Two organizations promise to help....
MRTG for Intrusion Detection with IIS 6
I found this interesting article on securityfocus which explains how to use mrtg (a popular traffic monitor tool) to monitor intrusion attempts against a IIS 6.0 machine. "But MRTG is also a very effective intrusion detection tool. The concept is simple: attacks often produce some kind of anomalous pattern and human brains...