GNUCITIZEN in 2005

I thought that this will be interesting to some of you. This is how GNUCITIZEN looked like back in 2005 when it was just a personal website rather than a group of like-minded people as it is today.

It is quite nice to look back and see how things progressed over the years.

more | comments | comments rss | posted by

6000 Members on HoH

Just a couple of months ago, we started HoH as one of our social experiments. Initially the network was composed of just about 10-15 people and there was nothing fancy about it. We didn’t even have a domain although we promised to ourselves that if we reach 1000 members we will certainly look into buying a domain and also investing into other resources.

Amazingly, we reached the 1000 cap quite rapidly and today the HoH network is just over 6000 members. [...]

more | comments | comments rss | posted by

Harder, Better, Faster, Stronger – The Malware

I am sure that you know this song. Yes, Daft Punk absolute rocks, although this post is about malware not the band.

Anyway, I was going through some blogs today and I stumbled across some articles regarding a malware affecting MacOS. Apparently this piece of malicious software is of a type downloader/installer. All it does is to connect to a remote server, fetch the payload and execute. Nothing special really! [...]

more | comments | comments rss | posted by

We Need Better Web Tools

Oh yes, we certainly do! And let me tell you something: they ain’t going to be quite the same thing as what we are used to.

Back in the days all you needed was a poxy, a dummy scanner/spider just to lift of your back some of the repetitive and boring things, and your brain. You are pretty much settled. Today, you need to do things beyond that. Web technologies are just starting to show their ugly face and we are here to see/experience them for the first time. [...]

more | comments | comments rss | posted by

The Cloud is not That Insecure

I am sure that by now you’ve seen/heard a lot of rants about how insecure cloud technologies are, etc. What worries me is that these claims are made by people who have never worked with cloud technologies and therefore have no clue on the subject whatsoever.

All of these claims actually have a common root. It is only logical to think that Gmail perhaps is less secure than your self-hosted email solution, for example. [...]

more | comments | comments rss | posted by

Back from the cons!

It’s been a crazy month, so much going on! I had the pleasure of presenting my updated Cracking into embedded devices presentation at Hack.lu (Luxembourg) and Hack in the Box (Malaysia). I also had to give a talk on PCI DSS in London, which was a challenge as PCI DSS is not the most fun topic for me, trust me!

The best thing about assisting these kind of events is the technical discussions and exchange of ideas with not just other presenters but also attendees. [...]

more | comments | comments rss | posted by

Facebook, Worms and RSS Feeds – Hacking The Web2.0 Way and Beyond

This morning I was reading an interesting article from Ryan Naraine (ZDNet Zero Day Blog) regarding a Facebook worm which uses RSS feeds and in particular Google Reader to strengthen its attack strategy. Interesting…

If you have been following GNUCITIZEN’s research and in particular this blog, you know this is not a big news since I’ve been describing the numerous web2.0 attack strategies countless of times. Perhaps you remember my paper on hacking Web2.0? [...]

more | comments | comments rss | posted by

WP Blogsecurify

The WP Blogsecurify 1.0 wordpress plugin is out.

What does it do?

WP Blogsecurify is a security plugin for WordPress designed to integrate several simple but important security patches for the popular blogging platform. [...]

more | comments | comments rss | posted by

Script Kiddies

According to Wikipedia:

It continues continues: Script kiddies have at their disposal a large number of effective, easily downloadable malicious programs capable of harassing even advanced computers and networks.

Anyway, according to Wikipedia, I do not know a single person involved in the information security industry today that does not fit the description of a script kiddie. [...]

more | comments | comments rss | posted by

Frame Injection Fun

Frame injection vulnerabilities, although some people might consider them the same as HTML injection/XSS or even a subset, they really are not the same. Here is why:

There is no need to inject special control characters such as angle brackets (unlike HTMLi/XSS)
HTMLi/XSS filtering routines will not project against frame injection since the attacker only needs to insert a URL in the non-sanitized parameter

The best way to explain what I mean is to show an example. [...]

more | comments | comments rss | posted by