I was both thrilled and humbled to see that Fast Company named me one of the Most Creative People in Business. Throughout my career I have had the benefit of working with some of the most amazing minds, whether that was in teaching me to think like a criminal, raising venture capital, or creating a product that protects billions of people online. And to see that I am being recognized with luminaries like Ben Horowitz and the founder of Hip Hop Public Health is incredible. This is just one of the indications that what Silver Tail is doing is amazing. We have taken protecting people on the…
Web App Security
-
Most Topular Stories
-
One of Fast Company’s Most Creative People in Business
Silver Tail Systems Blog15 May 2012 | 11:54 am -
Speeding Up Security Reviews
Mozilla Security Blog8 May 2012 | 7:06 pmAt Mozilla we have a strong commitment to security; unfortunately due to the volume of work underway at Mozilla we sometimes have a bit of a backlog in getting security reviews done. Want to speed up your security review request? You can dramatically increase the turn around time for your security review request by providing the information below. In addition to this, we are working to expand our overall security review process documentation; you can follow those efforts here. 1. Architecture Diagram An architecture diagram illustrates how the various components of the service communicate… -
Raising the Bar with the Domain Policy Framework
The Security Practice10 May 2012 | 8:06 pmPayPal is pleased to be invited by Artemis Internet Inc. to participate in the Domain Policy Working Group. PayPal has long been a leader in multi-stakeholder efforts to tackle the problems of crime, fraud and phishing on the Internet. We have identifed the need for and advocated uniform security policy frameworks to address Web security (Web Security Framework: Problems and Requirements), are early adopters of DNSSEC for secure domain names, and helped develop standards like Domain-based Message Authentication, Reporting & Conformance (DMARC) for email authentication and HTTP Strict… -
Malware Piggybacks on Automatic WordPress Updates
Unmask Parasites. Blog.2 May 2012 | 1:44 pmMost WordPress bloggers know the “Always keep your WordPress blog up-to-date” mantra. To make upgrades painless, WordPress developers introduced the “Automatic Update” features in version 2.7. A blog admin only needs to visit the “Update WordPress” page (Tools -> Update) and click on the “Update Automatically” button. That’s it! Easy! Sometimes I see how webmasters misinterpret the importance of upgrades for WordPress security. They expect that if they upgrade a hacked blog, it will immediately become clean and secure. Unfortunately it… -
#FreeByron is no more, long live #ByronIsFree (UPDATED) (UPDATED AGAIN)
Liquidmatrix Security Digest15 May 2012 | 11:12 amIn a decision which will be scrutinized and used as case law for years, Byron Sonne was found not guilty on all charges today. There’s a long story to be told I’m sure, but the key point is that after TWO YEARS, the government has nothing but theatre to stand behind. I’ll follow this up later with more. UPDATES: News: Byron Sonne not guilty on G20 explosives charges Sonne acquitted on explosives, mischief charges Freed G20 activist Sonne blasts ‘nanny state’ Byron Sonne cleared of all charges CBC Video of post-verdict scrum Byron Sonne, Found Not Guilty On All…
-
Silver Tail Systems Blog
-
One of Fast Company’s Most Creative People in Business
15 May 2012 | 11:54 amI was both thrilled and humbled to see that Fast Company named me one of the Most Creative People in Business. Throughout my career I have had the benefit of working with some of the most amazing minds, whether that was in teaching me to think like a criminal, raising venture capital, or creating a product that protects billions of people online. And to see that I am being recognized with luminaries like Ben Horowitz and the founder of Hip Hop Public Health is incredible. This is just one of the indications that what Silver Tail is doing is amazing. We have taken protecting people on the… -
Finovate Spring Demonstrates a Growing Richness in Online Interactions
10 May 2012 | 12:02 pmAt Finovate Spring this week in San Francisco, there has been considerable buzz around all sorts of technologies available for financial organizations worldwide. It’s a fascinating group, from online financial advice companies to multi-party payment providers to online money movers. One thing many of them have in common: service offerings on the Web. This raises the question: with all of these financial services and offerings online – how do organizations protect the users of their websites and defend against attacks? This is a question for all industries and all organizations that… -
Aunt Sally Returns to Finovate Tomorrow!
7 May 2012 | 12:29 pmFor those of you who have wondered what has happened to our favorite fraud victim, fictional Aunt Sally, I am happy to say that she will be making an appearance tomorrow at the Finovate Spring 2012 conference. If you’ve missed hearing about how the criminals have targeted Aunt Sally, tomorrow is your chance to hear about the newest threat that is live in the wild: malware that performs parameter injection. It’s guaranteed to be fascinating to see the latest way the criminals are targeting banking users. If you’re going to be at Finovate, it would be great to get together, so… -
Is There a CISPA Compromise?
3 May 2012 | 12:16 pmGiven the discussion about CISPA, I thought I’d share my perspective. I agree that global organizations need to expand their mechanisms for fighting cyber crime. We know the criminals cooperate and only through cooperation among the targets can we get to a place where we are on an even playing ground with the criminals. Of course, the flip side of this is the private and personal information that will also be shared between organizations and with the government. This is an interesting assumption and it brings up a point I have been pondering for a while: what is the line between privacy… -
The 99% Goes Cyber
2 May 2012 | 2:21 pmA group calling themselves L0NGWave99 has threatened a denial of service attack against the externally facing NYSE website. This attack is in support of the “great and rooted 99% movement,” and will include attacks against other exchanges’ externally facing websites as well. Two thoughts on this. First, is it that big of a deal to DDoS the externally facing NYSE site? While having that site unavailable (in the worst case) would be bad publicity, it doesn’t actually disrupt any markets. Second, the fact that the 99% movement has gone cyber is quite interesting to me.
-
Mozilla Security Blog
-
Speeding Up Security Reviews
8 May 2012 | 7:06 pmAt Mozilla we have a strong commitment to security; unfortunately due to the volume of work underway at Mozilla we sometimes have a bit of a backlog in getting security reviews done. Want to speed up your security review request? You can dramatically increase the turn around time for your security review request by providing the information below. In addition to this, we are working to expand our overall security review process documentation; you can follow those efforts here. 1. Architecture Diagram An architecture diagram illustrates how the various components of the service communicate… -
Why an outdated Java Plugin is so serious
6 Apr 2012 | 7:21 pmRecently, Mozilla responded to an imminent threat to Firefox users who have an outdated Java plugin installed: Vulnerable versions of the plugin were blocked automatically (see blog post). Since then, I’ve been asked a few times why this is important; others have complained that their <any large number> corporate/government installations don’t work anymore because they depend on an outdated Java version (note that some of these problems/complaints were probably caused by a bug in the initial deployment of the blocklisting entry itself that is now fixed). While we all… -
Blocklisting Older Versions of Java
3 Apr 2012 | 8:20 pmMozilla recently implemented a block for older versions of Java (Version 6 Update 30 and below as well as Version 7 Update 2 and below) which are vulnerable to a critical security issue. For additional details, please see https://blog.mozilla.org/addons/2012/04/02/blocking-java/ -
Make Things Better (or, how I learned to stop worrying and love security again)
16 Mar 2012 | 3:18 pmWorking in application security can be frustrating. Often you’re working around problems in software you have little control over, making ugly bandaids that must stay in place until a vendor wakes up to an issue. Perhaps this is why security folk, as a community, have gotten into the habit of complaining about how things are broken and leaving it there; how often have you attended a presentation where a vendor is criticised for making a mistake, but no solution is suggested, or help offered? This frustration is one of the reasons I was really excited about coming to Mozilla. -
ADBFuzz – A Fuzz Testing Harness for Firefox Mobile
9 Mar 2012 | 2:43 pmFuzz testing (automated, random testing) is an important part of nearly every application security life cycle. While there are a lot of tools, frameworks and harnesses available for regular desktop platforms/operating systems, there’s still a lot missing in the mobile sector which is becoming increasingly important. In this article, I will describe the necessary implementation steps for a mobile fuzzing harness and provide a proof-of-concept implementation called ADBFuzz that allows anyone to run fuzzers written in Javascript in Firefox Mobile on Android. In the near future, we will…
-
The Security Practice
-
Raising the Bar with the Domain Policy Framework
10 May 2012 | 8:06 pmPayPal is pleased to be invited by Artemis Internet Inc. to participate in the Domain Policy Working Group. PayPal has long been a leader in multi-stakeholder efforts to tackle the problems of crime, fraud and phishing on the Internet. We have identifed the need for and advocated uniform security policy frameworks to address Web security (Web Security Framework: Problems and Requirements), are early adopters of DNSSEC for secure domain names, and helped develop standards like Domain-based Message Authentication, Reporting & Conformance (DMARC) for email authentication and HTTP Strict… -
PayPal supports reform at the CA/Browser Forum
6 Mar 2012 | 10:46 amPayPal is pleased to note the creation of a working group at the CA/Browser Forum to address rechartering itself as a more mature and capable organization with a broader scope of action. We are entirely supportive of the work; indeed, we believe it is vital. Through collaborative efforts like Extended Validation Certificates, the CA/Browser Forum has already played an important role in promoting consumer trust online. However, recent events such as the DigiNotar compromise have demonstrated that the foundations of Internet trust are under increasingly serious threat, and that the community is… -
PayPal domains are now using DNSSEC
8 Dec 2011 | 11:47 amWe're pleased to announce that all PayPal owned and operated DNS domains are now secured using DNSSEC. They are all signed, and DS records uploaded to their respective TLD's. This announcement is the culmination of months of work by PayPal's Site Operations teams, along with our domainname administrator. Congratulations to them for their hard work on making this fully operational. If you'd like to see a small visualization of the "trust chain" involved for paypal.com, you can see it here: http://dnsviz.net/d/paypal.com/dnssec/ Note: Be aware that in cases… -
The Future of Web Application Security at W3Conf 2011
17 Nov 2011 | 4:36 pmThis week I had the honor and pleasure of presenting at W3Conf, the W3C's first ever developer conference. I saw some truly amazing work that is expanding the idea of what the Web can be, and all built using open standards. In that theme, Scott Stender of iSEC Partners and I gave a talk for developers titled "The Future of Web Application Security". We highlighted how growing complexity and capability, new data flows, and the use of Web APIs in all types of clients means that Web App Security can no longer be a strictly server-side concern. Client-side apps must be… -
PayPal Hiring Application Security Manager
29 Aug 2011 | 1:26 pmHello, Andy Steingruebl here. I'm posting for one of colleagues who is hiring a manager to head PayPal's application security efforts, specifically focused on Secure Development Lifecycle (SDL) work as well as foundational application security capabilities. A job description is here: http://bit.ly/nP9Afr An official posting will be up soon with instructions on how to post. I will update this blog entry when the official job posting is available. Comments on this blog are moderated. If you'd like more details you can post a comment for us to review or email me, my work email…
-
Unmask Parasites. Blog.
-
Malware Piggybacks on Automatic WordPress Updates
2 May 2012 | 1:44 pmMost WordPress bloggers know the “Always keep your WordPress blog up-to-date” mantra. To make upgrades painless, WordPress developers introduced the “Automatic Update” features in version 2.7. A blog admin only needs to visit the “Update WordPress” page (Tools -> Update) and click on the “Update Automatically” button. That’s it! Easy! Sometimes I see how webmasters misinterpret the importance of upgrades for WordPress security. They expect that if they upgrade a hacked blog, it will immediately become clean and secure. Unfortunately it… -
You Need to Pay For This Crypt. Trial Version of Malware?
7 Mar 2012 | 7:25 amAccording to the Betteridge’s Law of Headlines “Any headline which ends in a question mark can be answered by the word ‘no’“. Nonetheless, I use this type of a headline for this post because this was the question I asked myself when I came across the following attack. A few days ago I began to notice many websites where Google reported “assexyas .com” as a source of the infection (at this point Google reports 6148 infected sites). They all contained quite a prevalent type of a malicious script (such scripts have been in use for few a few months)… -
Weak Passwords and Tainted WordPress Widgets
1 Mar 2012 | 9:47 amA few days ago I investigated a hack where the following script was injected into web pages: <sc ript src="hxxp://www .copytech .lu/js/java.js"></script> The script was at the very top of the HTML code and in the middle of the page. It was a WordPress site so I suggested to check the index.php and theme files for the malicious code. The topmost script was indeed in the theme’s index.php file. But theme files didn’t contain the script that I found in the middle of web pages’ HTML code. Sidebar Widgets When I compared the code of the theme and the HTML of web… -
Lorem Ipsum and Twitter Trends in Malware. Update.
18 Feb 2012 | 3:23 amA few weeks ago I published an article about an attack that hosted malware on a fast flux network of infected PCs and used a clever algorithm based on Twitter trends to generate four new hard-to-predict domain names every day. Shortly after that I was contacted by foks, who shared some interesting information. He conducted his own investigation and found out how hackers injected those scripts into legitimate web pages. He also found a new (buggy) version of the malicious script. Attack via FTP Foks confirms that the attackers used FTP to downloads .html and .php files that contained… -
Script Injection (*.ddns.name) and Backdoors
12 Feb 2012 | 5:31 amJust a quick review of hacker attack that I came across this week. The attackers inject a malicious script into legitimate web pages on compromised sites and update the script several time a day (sometimes they change the script code and sometimes just make sure the script is still there, in case webmasters removed it). Typical scripts looks like this: var $E=(Date);if($E){$f=['2*%0)%5}%1','%3{%b(%9_%8...skipped...(1))[$s.$Aj]($l[$0][$s.$1k](0,1));}}return this;},$3=$l(),$f='';$pi('l\x65\x6E\x67th');if…
-
Liquidmatrix Security Digest
-
#FreeByron is no more, long live #ByronIsFree (UPDATED) (UPDATED AGAIN)
15 May 2012 | 11:12 amIn a decision which will be scrutinized and used as case law for years, Byron Sonne was found not guilty on all charges today. There’s a long story to be told I’m sure, but the key point is that after TWO YEARS, the government has nothing but theatre to stand behind. I’ll follow this up later with more. UPDATES: News: Byron Sonne not guilty on G20 explosives charges Sonne acquitted on explosives, mischief charges Freed G20 activist Sonne blasts ‘nanny state’ Byron Sonne cleared of all charges CBC Video of post-verdict scrum Byron Sonne, Found Not Guilty On All… -
VMWare Vulnerability Security Advisory
3 May 2012 | 3:58 pmHeads up. A new VMWare vulnerability security advisory has been released. Problem Description a. VMware host memory overwrite vulnerability (data pointers) Due to a flaw in the handler function for RPC commands, it is possible to manipulate data pointers within the VMX process. This vulnerability may allow a guest user to crash the VMX process or potentially execute code on the host. Workaround Configure virtual machines to use less than 4 GB of memory. Virtual machines that have less than 4GB of memory are not affected. Mitigation Do not allow untrusted users access to your virtual machines. -
Stupid Human Tricks: Security Job Interviews
30 Apr 2012 | 2:42 pmOne of my frustrations over the years has been around interviewing candidates for security jobs. I recently had a doozy when a candidate asked “what do you guys do?” Starring blankly at the phone I had to fight to maintain my composure. I then started mentally thumbing through years of absurd responses from candidates. I decided to ask the community to share their favourite security job interview question answers and wow…did that ever garner a response. Opening statement on Twitter “I’m compiling a list of things NOT to say in an interview for a security job. Got… -
You Lose America. CISPA Passes 248-168
26 Apr 2012 | 8:15 pmIn a rather bizarre twist today the vote on the CIPSA bill was moved forward and hurriedly pushed through. First off, what is the Cyber Intelligence Sharing and Protection Act or CISPA? From Wikipedia (yes, I quoted Wikipedia, get over it): The bill would allow the voluntary sharing of attack and threat information between the U.S. government and security cleared technology and manufacturing companies to ensure the security of networks against patterns of attack;[5][dead link] the most recent version of the CISPA bill may remove any reference to intellectual property.[6][clarification needed]… -
Onion Browser For iOS Private Browsing
26 Apr 2012 | 9:37 amOK, this is rather interesting. An app that provides private browsing on your iOS device. The Onion Browser for iOS private browsing provides, potentially, for a safe browsing experience in the event that your phone gets pinched by border agents. From Lifehacker: We’ve talked about ways to Tor in Chrome and Firefox before, and Onion Browser uses the same basic premise. It tunnels your browsing through a Tor proxy server so websites don’t see your IP address and it encrypts all of your information before it leaves your device. Loading pages in Onion Browser takes a lot longer than…
-
slight paranoia
-
Congressmen pushing awful cybersecurity bill fail cybersecurity 101
18 Apr 2012 | 10:36 amOver the last several months, several cybersecurity bills have been proposed by various Congressional committees. One of the leading bills, the Cyber Intelligence Sharing and Protection Act (CISPA), has been proposed by Congressmen Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.). Many of the major civil liberties groups like EFF and ACLU have legitimately criticized the substance of the bill, which would give companies a free pass to share their customers' private information with the government. I'm not going to get into the weeds and criticize specific portions of this bill. -
Google's pro-privacy legal position re: DOJ could assist class action lawyers in search referrer privacy lawsuit
4 Apr 2012 | 1:28 pmIn the summer of 2010, I filed a FTC complaint (pdf) against Google for deceiving its users about the extent to which it knowingly leaks user search queries to third parties via the referring header sent by web browsers. Shortly after my complaint was made public, a class action firm hit Google with a lawsuit over the practice. Like many privacy class actions, the lawyers included every possible legal argument they could think of. One of their claims was that Google had violated the Stored Communications Act, which prohibits companies from sharing the contents of users' communications… -
ACLU docs reveal real-time cell phone location spying is easy and cheap
3 Apr 2012 | 11:25 am"Technological progress poses a threat to privacy by enabling an extent of surveillance that in earlier times would have been prohibitively expensive." -- US v. Garcia, 474 F. 3d 994 - Court of Appeals, 7th Circuit 2007 In 2009, I attended a surveillance industry trade show (the "wiretapper's ball") in Washington DC where I recorded an executive from Sprint describing, in depth, the location tracking capabilities his company provided to law enforcement agencies: "[M]y major concern is the volume of requests. We have a lot of things that are automated but that's just scratching the surface. -
Federal judge: Google free to tell user about mysterious gov requests, likely related to Wikileaks
26 Mar 2012 | 4:13 pmSummary In two 1-page orders issued today, a Federal judge in Virginia has (for a second time) ruled that Google is permitted to tell a customer (and only that customer) about two mysterious surveillance orders -- a 2703(d) order and a search warrant -- issued in June, 2011 for records (likely including communications content) associated with their Google account. While Google is only permitted to notify the subscriber that was the subject of surveillance, that person is permitted to tell anyone else they wish, should they wish to do so. Background One month ago, a federal judge published two… -
Firefox switching to HTTPS Google search by default (and the end of referrer leakage)
21 Mar 2012 | 7:10 amA few days ago, Mozilla's developers quietly enabled Google's HTTPS encrypted search as the default search service for the "nightly" developer trunk of the Firefox browser (it will actually use the SPDY protocol). This change should reach regular users at some point in the next few months. This is a big deal for the 25% or so of Internet users who use Firefox to browse the web, bringing major improvements in privacy and security. First, the search query information from these users will be shielded from their Internet service providers and governments who might be using Deep Packet Inspection…
-
Zscaler Research
-
A look at the top websites blacklisted
14 May 2012 | 4:58 pmGoogle Safe Browsing is the most popular security blacklist in use. It is leveraged by Firefox, Safari and Google Chrome. As such, being blacklisted by Google is a big deal - users of these three browsers are warned not to visit the sites and Google puts warnings in their search results. I've run Google Safe Browsing against the top 1 million (based on number of visits) websites according to Alexa. 621 of them are blacklisted by Google Safe Browsing. I've looked at the most popular to understand why they are considered malicious. Here is what I found for the most popular blacklisted sites:… -
Search Engine Security for Internet Explorer
30 Apr 2012 | 9:27 pmSearch Engine Security (SES), a browser extension designed to protect users against Blackhat SEO links in search engines, is now available for Internet Explorer. You can download it from our website. It is compatible with Internet Explorer 6.0 and above, on Windows XP thru Windows 7. The features are the same as Search Engine Security for Google Chrome, released two weeks ago. The Referer and the User-Agent headers are modified when you follow a search result link on Google, Bing and Yahoo! This prevents the hijacked sites from redirecting users to a malicious page. As with SES for Firefox… -
Multiple hijacking
26 Apr 2012 | 11:57 pmVulnerable websites are regularly hijacked to redirect users to malicious domains. The most popular type of of malicious page are Fake AV pages. Attackers commonly increase traffic to these hijacked websites using Blackhat SEO techniques. Blackhat SEO requires that two different pages be delivered to different audiences: A harmless spam page to the Googlebot and security scanners, in order to get references and be ranked well by Google, as well as evade blacklists A redirection to a malicious domain to attack users Existing pages on the hijacked sites are usually unchanged and instead, new… -
French Budget Minister website hijacked
18 Apr 2012 | 6:46 pmWe've seen an increase in hijacked websites in recent months, redirecting users to Fake AV pages, Blackhole exploit kits and other malware. While most websites hacked are personal sites, or University websites, some are more high profile. http://www.performance-publique.budget.gouv.fr/ hijacked The website of the French Minister of Budget (www.performance-publique.budget.gouv.fr) is an example of a high profile site that was recently hijacked. Obfuscated JavaScript was added at the top of the page. It is very similar to what we have seen on other websites. The obfuscation contains some tricks… -
Search Engine Security for Google Chrome
16 Apr 2012 | 11:58 amGoogle Chrome has recently added an API to modify HTTP headers. This in turns, made it possible to port Zscaler's Search Engine Security add-on from Firefox and Firefox Mobile to Google Chrome. Search Engine Security on the Chrome Web Store Most hijacked websites used for Blackhat SEO check the Referer header and the User-Agent, to decide whether to redirect the visitor to a harmless spam page or to a malicious domain (Fake AV page, Blackhole exploit kit, etc.). By modifying these 2 headers when the user leaves a Google, Bing or Yahoo! search, Search Engine Security fools the hijacked…
-
Mozilla Hacks - the Web developer blog
-
The Web Developer Toolbox: Raphaël
15 May 2012 | 2:13 amThis is the first of a series of articles dedicated to the useful libraries that all web developers should have in their toolbox. My intent is to show you what those libraries can do and help you to use them at their best. This first article is dedicated to the Raphaël library. Introduction Raphaël is a library originally written by Dmitry Baranovskiy and is now part of Sencha Labs. The goal of this library is to simplify work with vector graphics on the Web. Raphaël relies on the SVG W3C Recommendation (which is well supported in all modern browsers) and falls back to the Micrsoft VML… -
Desktop Apps with HTML5 and the Mozilla Web Runtime
14 May 2012 | 2:16 pmDesktop Apps with HTML5 One of the best things about HTML is that it’s never “done”. HTML has been with us longer than most of the development technologies that we consider commonplace. (.NET, ASP, Java, PHP, etc.) The latest incarnation of HTML, HTML5 has been the source of a great deal of buzz in the software and information industries. When we say “HTML5″, we’re implicitly referring to the “stack” of HTML/CSS/JavaScript. At Mozilla we often refer to this collectively as the “Web Run-Time” or WebRT for short. Mozilla’s… -
MDN hack day tomorrow in the #mozldn space in London, England
11 May 2012 | 6:37 amWe cleared the aftermath of yesterday’s epic Geek Quiz (photo proof here) but there is no rest for the wicked in the London Mozilla Space. Tomorrow (yes, that day after this one) we’ll run an MDN hack day here in 101 St. Martin’s Lane, London (5 minute footwalk from Leicester Square or 10 from Charing Cross). If you have no idea what hack day in MDN means, check out Tristan Nitot’s introductory post. There are still tickets available, so go to http://mdn-hackday-london.eventbrite.com/ and sign up if you haven’t yet. There’ll be food (well, Pizza, we thought… -
Getting snappy – performance optimizations in Firefox 13
11 May 2012 | 4:02 amBack in the fall of 2011, we took a targeted look at Firefox responsiveness issues. We identified a number of short term projects that together could achieve significant responsiveness improvements in day-to-day Firefox usage. Project Snappy kicked off at the end of the year with the goal of improving Firefox responsiveness. Although Snappy first contributed fixes to Firefox 11, Snappy’s most noticeable contributions to date are landing with Firefox 13. Currently in beta, this release includes a number of responsiveness related fixes, most notably tabs-on-demand, cycle collector… -
DOM MutationObserver – reacting to DOM changes without killing browser performance.
10 May 2012 | 6:12 pmDOM Mutation Events seemed like a great idea at the time – as web developers create a more dynamic web it seems natural that we would welcome the ability to listen for changes in the DOM and react to them. In practice however DOM Mutation Events were a major performance and stability issue and have been deprecated for over a year. The original idea behind DOM Mutation Events is still appealing, however, and so in September 2011 a group of Google and Mozilla engineers announced a new proposal that would offer similar functionality with improved performance: DOM MutationObserver. This new…
-
Ajaxian » Front Page
-
Rails cache sweeper redux
27 Apr 2012 | 10:03 pmMichael Mahemoff writes: To be effective, Rails cache sweepers need to be more fully understood. They know no standard, so you must employ art. He goes on: Sweepers observe both your models and your controllers, but most workarounds focus on their controller nature. Importantly: the sweeper must be explicitly added as an observer. Even more important is redux. Read all about [Rails cache sweeper redux] it. -
Node.js – The objective is absolutely fast I/O
30 Mar 2012 | 10:03 pmNode.js employs an event-driven architecture and a non-blocking I/O model, and it provides some blindingly fast performance to some types of data-intensive Web apps. It is about JavaScript on the server side. LinkedIn, Yahoo and eBay are among ardent Node.js users, and none other than Microsoft has discussed end-to-end JavaScript coverage on its Azure cloud. The objective is absolutely fast I/O. This article features Joyent CTO and co-founder Jason Hoffman, who discusses the roots and reason of node.js. He said: “Why we did it is, at Joyent we have a lot of servers, more than most companies… -
Winding road of open-source webOS
2 Feb 2012 | 4:21 pmHP continues to divulge bits and pieces of a road map for the ill-starred and nearly-orphaned webOS. The company has followed up its December plan to release webOS mobile platform and development tools with a proposed timeline, with a full release set before year’s end. Some people see a life for the associated Enyo JavaScript framework aside from any success or failure webOS ultimately achieves. -
Shim uses node.js to test sites on multiple browsers
14 Jan 2012 | 10:01 pmShim was developed within the Boston Globe’s media lab as a way to study how Web sites look on various devices and browsers. A laptop intercepts all wifi traffic – this is redirected to a custom node.js server – which inserts a javascript, or “shim,” at the head of each web page that is visited. The shim, once loaded in a device’s browser, opens and maintains a socket connection to the server, according to to Shim’s developers. Shim was written in 2011 by Chris Marstall, Creative Technologist at the Boston Globe. The software has been open sourced. Write… -
HipHop Virtual Machine for PHP
10 Dec 2011 | 8:15 pmFacebook Software Engineer and HipHop for PHP team member Jason Evans provides details on Facebook’s move to a new high-performance PHP virtual machine. Described by Evans is ”a new PHP execution engine based on the HipHop language runtime that we call the HipHop Virtual Machine (hhvm).” He sees it as replacement for the HipHop PHP interpreter (hphpi). He continues: We have long been keenly aware of the limitations to static analysis imposed by such a dynamic language as PHP, not to mention the risks inherent in developing software with hphpi and deploying with hphpc. Our…
-
Didier Stevens
-
ExitProcess Shellcode
13 May 2012 | 7:19 pmI wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet. Now I’ve added the asm files (sc-ep.asm for 32-bit and sc-64-ep.asm for 64-bit) for this shellcode to my library. Remark that the 32-bit version assembler code, that was generated with my simple shellcode generator, has a ret instruction after the call to ExitProcess. This instruction will never be executed, as a call to ExitProcess does not return. You can find this shellcode on my shellcode page. -
Why Isn’t my PoC Launching calc.exe?
8 May 2012 | 6:17 amI quickly developed a dll that kills calc.exe when started from anything else than explorer.exe. This way, you can mess with all those PoCs that launch calc.exe nocalcpoc_V0_0_0_1.zip (https) MD5: 05798543571B45E19536181DC7346330 SHA256: ED0FEDC6096420F6F09F4980A1CE36F7C4BC0A8C9191F4DFC27FA4C77D547976 -
Update: TaskManager.xls V0.1.3 Killer Shellcode
1 May 2012 | 5:49 amMy TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons). Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself. Here I’m using the command “e ep64″: this command injects and executes the shellcode found in sheet ep64 (as hex… -
InteractiveSieve
17 Apr 2012 | 6:33 amInteractive Sieve is a program I developed to help you analyze log files and other data in tabular form. It’s designed to help you when you don’t know exactly what you’re looking for. You sift through the data by hiding or coloring events (or data) that are not relevant. I started writing this program in 2007 and use it often. But there is a problem I’ve not been able to fix: when you hide a lot of rows, it takes a long time, probably because of the redraw operation that takes place for each hidden row. Maybe someone will find a solution. Update: big thanks to… -
Update: SE_ASLR Version 0.0.0.2
29 Mar 2012 | 4:14 amI added Bottom Up Randomization to my SE_ASLR tool. In this source code, I use a Windows Cryptographic Service Provider to generate random numbers. SE_ASLR_V0_0_0_2.zip (https) MD5: C835D1DDB64A68A1CD48CCF87AE03D18 SHA256: 1560BEE96CFC956A5E8954FEFD92ED227293418B19FE6B06D4ED703B6C50F4AC
-
Technicalinfo.net Blog
-
Crimeware Immunity via Cloud Virtualization
21 Apr 2012 | 5:14 pmThere's a growing thought recently that perhaps remote terminal emulators and fully virtualized cloud-baseddesktops are the way to go if we're ever to overcome the crimeware menace.In essence, what people are saying is that because their normal system can be compromised so easily, and that criminals can install malicious software capable of monitoring and manipulating done on the victims computer, that perhaps we'd be better off if the computer/laptop/iPad/whatever was more akin to a dumb terminal that simply connected to a remote desktop instance - i.e. all the vulnerable applications and… -
IP's and the APT
11 Apr 2012 | 1:19 pmMost of the good thrillers I seem to have watched in recent years have spies and assassins in them for some diabolical reason. In those movies you’ll often find their target, the Archduke of Villainess, holed up in some remote local and the spy has to fake an identity in order to penetrate the layers of defense. Almost without exception the spy enters the country using a fake passport; relying upon a passport from any country other than their own.Like any good story, there’s enough truth to the fiction to make it believable. Take the real-life example of the hit squad that carried out the… -
Practical Malware Analysis - A Review
6 Apr 2012 | 12:08 pmOff and on over the last few weeks I've been reading Michael Sikorski & Andrew Honig's latest book "Practical Malware Analysis".As you'd expect given the title, the book covers the art of malware reverse engineering and analysis from a malware investigators perspective - providing extensive coverage of the techniques that need to be mastered by folks that intend to make a career of such technical work. The tome of some 766 pages can be thought of more as a text book (complete with practical labs) rather than a reference book that many other similarly themed practical malware analysis… -
Get over it, BYOD is here for good
6 Apr 2012 | 10:05 amLike the scene of a movie in which a biblical character holds back the mighty sea and is about to release the tide against his foes, BYOD has become a force of nature poised to flood those charged with keeping corporate systems secure.Despite years of practice hardening systems and enforcing policies that restrict what can and can’t be done within the corporate network, businesses are under increasing (if not insurmountable) pressure to allow a diversifying number of personal devices to connect to their networks and be used for business operations. Bring your own device (BYOD) is the most… -
Unauthorized Access to Millions of Cards at Global Payments
1 Apr 2012 | 11:22 amGlobal Payments, an Atlanta-based payment card processing firm, announced yesterday that they had suffered “unauthorized access into a portion of its processing system“. Sometime in early March they uncovered the attack, and there are some indications that the breach occurred between January 21st and February 25th of this year. At the moment there is very little public information relating to the nature of the breach, merely that the details of an estimated 10,000,000 cards (track 1 and track 2 – effectively what’s needed to clone physical cards) have been slurped by the attacker(s).
-
CERIAS Combined Feed
-
Spafford Wins Award for Outstanding Career Achievement
27 Apr 2012 | 8:18 am(Purdue Today) Dr. Eugene H. Spafford, executive director of CERIAS and professor of computer science, received the Morrill Award for outstanding career achievement. This new annual award was presented at the Faculty Awards Convocation on April 26, 2012. In honor of the 150th anniversary of the federal Morrill Act, which allowed for the creation of land-grant colleges and universities, the Office of the Provost gave four Morrill Awards to faculty members who have excelled as teachers, researchers and scholars, and in engagement missions. The awards are named for Justin Smith Morrill, the… -
Keynote: Howard Schmidt (Keynote Summary)
16 Apr 2012 | 3:48 pmHoward Schmidt, Special Assistant to the President and Senior Director for Cyber Security, Office of the U.S. President Morning Keynote Address, April 4, 2012. Summary by Keith Watson In the introduction, Professor Spafford mentioned many of the roles that Howard Schmidt has had over his many years in the field. He specifically highlighted Mr. Schmidt’s service to the nation. He also indicated that things in information security are not necessarily better since Howard last attended the CERIAS Symposium in 2004, but that was not Howard’s fault. Howard Schmidt began his keynote address by… -
Security Fireside Chat (Summary)
16 Apr 2012 | 12:59 pmSummary by Christine Task. The fireside chat was an open discussion among several important persons with very interesting positions in the security world. The conversation covered a broad range of topics, as each participant contributed their unique insight and perspective. The summary below will collect just the main points for easy review. Present were (in seating order): Dr. J.R. Rao of IBM Research Manager of the Internet Security Group at IBM Research (abbreviated below as IBM) Howard A. Schmidt, Office of the U.S. President Cyber-Security Coordinator of the Obama Administration… -
Panel #3: Securing Mobile Devices (Panel Summary)
13 Apr 2012 | 5:53 pmTuesday, April 3, 2012 Panel Members: Saurabh Bagchi, Purdue David Keppler, MITRE Jeremy Rasmussen, CACI Panel summary by Robert Winkworth. The panel was moderated by Keith Watson, CERIAS, Purdue University. In light of its unprecedented growth, wireless mobile communications remains a major focus of security research. The stated purpose of this panel was to address the challenges in securing data and processing, limiting communication to designated parties, protecting sensitive data from loss of device, and handling new classes of malware. Professor Bagchi opens the discussion with these key… -
Panel #2: Big Data Analytics (Panel Summary)
13 Apr 2012 | 5:44 pmTuesday April 3, 2012 Panel Members: William S. Cleveland, Purdue University Marc Brooks, MITRE Corporation Jamie Van Randwyk, Sandia National Laboratories Alok R. Chaturvedi, Professor, Purdue University Panel Summary by Nabeel Mohamed The panel was moderated by Joel Rasmus, CERIAS, Purdue University. A quick review on Big Data: Big Data represents a new era in data analysis where the volume of the data to analyze is so big that it does not work with current traditional database technologies and algorithms. The size of the data set needs to be collected, stored, shared, analyzed and/or…
-
Security Bloggers Network
-
Cops: Pastor Hid Cameras In Church Bathroom | The Smoking Gun
16 May 2012 | 5:05 am“You never know when you are auditioning!” You have heard me say it before. I’ve written about it in my book “Securing the C Level” and here in my blog. I’ve discussed it at conferences and in presentations. But this represents the extreme end of that recommendation I had never included for consideration. Cops: Pastor [...] -
OOPS! GM drops Facebook ads: They ”don’t work” #ITBW by + Richi Jennings…
16 May 2012 | 5:01 amOOPS! GM drops Facebook ads: They ''don't work'' #ITBW by Richi Jennings for Computerworld... http://blogs.computerworld.com/20181/oops_gm_drops_facebook_ads_they_dont_workOOPS! GM drops Facebook ads: They ''don't work'' -
Supply Chain Risk Management and Catastrophes
16 May 2012 | 5:00 amThe reports of destructive events—natural disasters, accidents, and intentional attacks—just keep on going. We could all guess that the Japanese tsunami of March 11, 2011 would have major impact on manufacturers’ supply chains … but a tornado in Wichita, Kansas and a fire in a plant in Germany! The Wichita tornado, which was reported in an article “Tornadoes Hamper Boeing Supplier” by Jon Ostrower in the April 17, 2011 Wall Street Journal, damaged ten buildings at a complex belonging to Spirit AeroSystems, which supplies fuselages and other parts for popular Boeing planes. -
LED Lighting: Ready for Prime Time? #HPIO UK by + Alfred Poor for + HPUK … http://h30565.www3.h…
16 May 2012 | 3:38 amLED Lighting: Ready for Prime Time? #HPIO UK by Alfred Poor for HPUK... http://h30565.www3.hp.com/t5/UK-Articles/LED-Lighting-Ready-for-Prime-Time/ba-p/3699LED Lighting: Ready for Prime Time? - Input Output -
Phishing Metrics
16 May 2012 | 2:55 amThe Anti-Phishing Working Group has published its latest bi-annual Global Phishing Survey of Domain Name Use and Trends. Key metrics from Global Phishing Survey: Domain Name Use and Trends in 2H2011, which analysed 83,000 attacks against users... Phishing Metrics Phishing Metrics Clerkendweller
