09-01-2010 22:41
 My student Peng and I have been submitting lots of bug reports to maintainers of open source software packages. These bugs were found using Peng’s integer undefined behavior detector. We’ve found problems in OpenSSL, BIND, Perl, Python, PHP, GMP, GCC, and many others.
As we reported these bugs, I noticed developers doing something funny: in many cases, their first reaction was something like:
Please stop bothering us with these stupid static analysis results!
They sa ...
Feed!
09-02-2010 4:46
Speaking of profound misunderstandings, this: BitDefender created a "test profile" of a nonexistent, 21-year-old woman described as a "fair-haired" and "very, very naïve interlocutor" -- basically a hot rube who was just trying to “figure out how this whole social networking thing worked” by asking a bunch of seemingly innocent, fact-finding questions. With the avatar created, the fictitious person then sent out 2,000 "friendship requests," relying on the bogus description and made-up inter ...
Feed!
09-02-2010 3:38
22 posts left…
While thinking about the previous issue and listening to Jeremiah’s preso and talking with the guys at Microsoft I got to thinking about cookie clobbering. Let’s say that Microsoft thinks HTTP cookies overwriting secure cookies is a big enough problem to fix. Let’s walk through the use cases. Let’s say there is a separate place for secure cookies that can’t be overwritten by non-secure cookies. Does that mean two cookies are replayed in HTTPS space, or th ...
ha.ckers
09-02-2010 3:25
23 posts left…
It’s been known for a long time that HTTP can set cookies that can be read in HTTPS space because cookies don’t follow the same origin policy in the way that JavaScript does. More importantly, HTTP cookies can overwrite HTTPS cookies, even if the cookies are marked as secure. I started thinking of a form of session fixation during our research that uses this to the attacker’s advantage. Let’s assume the attacker wants to get access to a user’s account that ...
ha.ckers
09-02-2010 2:34
“Cross Site Request Forgery (CSRF) PoC Template (by Javascript)” project page has been updated.
Please visit the project section:
http://soroush.secproject.com/blog/projects/csrf_poc_template/
@ScriptName: Cross Site Request Forgery (CSRF) PoC Template
@Purposes: For any Legal/Ethical Educational Security Researches Only (without any WARRANTY). You can create your own CSRF PoCs by using this template. Author does not accept any responsibility or liability for the ...
Feed!
09-01-2010 22:52
The XML Security Working Group has published five working drafts today. XML Signature 2.0, Canonical XML 2.0 and the XML Signature Streamable Profile of XPath 1.0 are part of an ongoing effort to rework XML Signature and Canonical XML in order to address issues around performance, streaming, robustness, and attack surface. The Working Group has also published updated Working Drafts for its XML Signature Best Practices and XML Security Relax NG Schemas Working Group Notes. Learn more about X ...
Feed!
09-01-2010 22:12
 There seems to be a significant, government-sponsored push for compulsory certification and licensing in the security industry. The wonderfully self-contradictory report from the Commission on Cybersecurity aside, Larry Seltzer pointed out that this very idea is also a major part of the proposed Cybersecurity Act of 2009:
"Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the Uni ...
Feed!
09-02-2010 4:17
 19 posts left…
So Pyloris doesn’t work particularly well for port exhaustion on the server, but what if we can exhaust the connections on the client to better meter out traffic? That would make it easier for a MITM to see each individual request if it worked. So I started down a rather complicated path of using a mess load of link tags on an HTTP website trying to affect the connections on the HTTPS version of the same domain. No joy. It turns out that the limits placed on one por ...
ha.ckers
09-01-2010 22:44
Small- to midsized businesses taking the biggest hit, experts say, but consumer banking customers could be next in the bull's eye
...
Feed!
09-02-2010 17:07
Summer in Idaho is treasured all the more since it is all too brief. We had a long, cold spring - my lilacs were two months behind those of friends and family on the east coast - and some flowers that normally do well here never did poke their colorful heads out of the ground.
My personal gardening forays have been mixed: some things I planted from seeds never came up, and others only just bloomed in August, much to my delight. I am trying to create order from chaos - more specifical ...
Feed!
| 
