So we all know about cross-domain vulnerabilities that allow attackers to run code within the security context of the target domain. Typically, they are either a XSS bug on the server-side application, or a bug in the client (web browser plugin or web browser itself). Most of the times, these vulnerabilities require some type of interaction from the victim user. i.e.: being tricked to click on a link or visit a malicious page.
Now, most techies are familiar with bookmarklets. [...]
A lot of people have asked me (especially reporters) about the GIFAR attack since it resembles what I have already spoked about here and presented at the last Black Hat in Amsterdam. So, I decided to shed some light without being too revealing as the talk which will demonstrate and explain the attack in more details will give away the awesome stuff. This is my public statement:
So yes, the whole notion of combining JAR files with other types of files is not new. [...]
Yesterday a friend of mine let me know that some of my BT Home Hub security research (details here and here) got nominated for the Pwnie Awards.
At first I thought “oh, that’s cool”, but then I learned the category my research had been nominated to: Most Overhyped Bug. [...]
If you read the Wikipedia’s definition of Tiger Team you get the following: A tiger team is a specialized group tasked with testing the effectiveness of an organization’s ability to protect assets by attempting to circumvent, defeat or otherwise thwart that organization’s internal and external security. And further down we have In the computer security field, the term is now obsolete, and more common terms are penetration testers or security testers. [...]
The fun with hacking UPnP enabled devices has just began. We’ve started our exploration in the fields of UPnP earlier this year with some smoking posts which covered some basic attacks and the advance flash attacks. Today I stumbled across Google Media Server, a desktop gadget which allows you to share all your laptop/desktop media content with all other devices you may have locally such as your phone, xbox, TV, and I suspect, your fridge. And all that via UPnP. That, I like very much. [...]
Ok, ignore the image. This is the best I could find online. This post is about a thing I happen to notice while messing around with my own Google for Applications accounts.
Basically, Google allows you to use custom domains for your Google for Applications, Blogspot, Mashup Editor and of course App Engine accounts. I think this is an excellent feature and I use it for several of my domains. [...]
This is just a quick update regarding our previous post which details how to extract the default admin password for the latest firmware of the BT Home Hub (6.2.6.E at time of writing). I recommend you to read the previous post if you have not done so yet.
The BT Home Hub’s serial number - which is the default admin password - can also be found on UPnP description XML files. [...]
So BT added a new security feature on the latest version of the BT Home Hub firmware (6.2.6.E at time of writing) which changes the default admin password from admin to the serial number of the router. From BT Support and Advice site:
When I first noticed this new feature I thought it was quite cool and definitely a good move from BT. [...]
My favorite tech quote is from Giorgio Maone. It goes like this: If today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.
Part of my job at GNUCITIZEN is to spot trends. [...]
CONFidence was great! We would like to thank to Andrzej, Anna and everybody else in the CONFidence team for making this event one of the greatest experiences of a lifetime. Thanks again. We are looking forward for the next event. :)
There were many interesting presentations. We’ve tried to attend all of them although it was really hard to do so when the weather in Krakow was so nice (very different from the weather conditions in cloudy/rainy London). [...]
