Category Archives: development

Craig: “Are you a libertarian or something, because I’m not sensing any clear political philosophy behind your position?”

Alec: “No, I’m not a libertarian. I’m from the Internet. I’m here to help.

Haz.

“Wat Behaviour” in Programming Languages – Security Impact /ht @jimfinnis #EPIC #MUSTWATCH #SHORT #WAT

Via Jim I discovered this four minutes of delight:

…and the mid-section about Javascript behaviour is relevant to WAF bypass (previously, previously) – regarding which there are many presentations and blog posts on the web, but I still delight in this sort of thing so here are a couple of extracts:

Screen Shot 2013-02-18 at 09.17.12

From http://www.slideshare.net/nethemba/bypassing-web-application-firewalls

Screen Shot 2013-02-18 at 09.21.14

From http://security.bleurgh.net/javascript-without-letters-or-numbers

Understanding this is possible is essential for web security work because this is how you inject code that walks straight past a web application firewall.

LibTech-Auditing-Cheatsheet # technical things to look for when auditing extremely high value applications

Introduction

This list is intended to be a list of additional or more technical things to look for when auditing extremely high value applications. The applications may involve operational security for involved actors (such as law enforcement research), extremely valuable transactions (such as a Stock Trading Application), societal issues that could open users to physical harassment (such as a Gay Dating Application), or technologies designed to be used by journalists operating inside repressive countries.

It is an advanced list – meaning entry level issues such as application logic bypasses, common web vulnerabilities such as XSS and SQLi, or lower level vulnerabilities such as memory corruption are explicitly not covered. It is assumed that the reader is aware of these and similar vulnerabilities and is well trained in their search, exploitation, and remediation.

A good example of the type of analysis to strive for can be shown in Jacob Appelbaum’s analysis of UltraSurf: https://media.torproject.org/misc/2012-04-16-ultrasurf-analysis.pdf

The Stuff

…continues at iSECPartners/LibTech-Auditing-Cheatsheet · GitHub.

ht @runasand

 

Ross Anderson’s “Security Engineering” – Now FREE to Download and Read

“Security Engineering” now available free online

February 4th, 2013 at 17:50 UTC by Ross Anderson

I’m delighted to announce that my book Security Engineering – A Guide to Building Dependable Distributed Systems is now available free online in its entirety. You may download any or all of the chapters from the book’s web page.

I’ve long been an advocate of open science and open publishing; all my scientific papers go online and I no longer even referee for publications that sit behind a paywall. But some people think books are different. I don’t agree [...]

…continues at Light Blue Touchpaper » Blog Archive » “Security Engineering” now available free online.

Government won’t fund ploughshare research, so instead we adapt the swords # #hackerspace #darpa

Piffle:

“Having these programs in schools is fantastic, but the military calling the shots in American education?” Mitch Altman, a co-founder of Noisebridge, a San Francisco hackerspace, said in an interview. “I don’t see that as a positive move,” added Mr. Altman, who, in an online post, was among the first to take a stand against the program.

The controversy over the government programs led to a tense session in a packed ballroom at the Hackers on Planet Earth conference this summer in New York, where recipients and critics of the Darpa financing gathered to discuss its implications.

“If you grow a piece of celery in red water, it’s going to be red,” said Sean Auriti, who is known as Psytek at the hackerspace Alpha One Labs in Brooklyn, which he runs. “I’m just wondering how this Darpa defense contract money is going to influence these projects.”

Probably much the same way that it influenced the Internet and TorProject; as a former gun-runner I would be far more worried about Department of Treasury funding coming with strings, than Military.

I’m not saying this is all good. I am saying that the NYT debate is a storm in a teacup. We already know that all software is dual-use, but apparently some folk on my team have forgotten.

via Worries Over Defense Dept. Money for ‘Hackerspaces’ – NYTimes.com.

On the pain of #Python programming on #OSX with #MySQL – #humour #true


install mysql

pip install oursql

easy_install oursql

sudo easy_install oursql

easy_install pip

sudo easy_install pip

sudo pip install oursql

launch appstore

install xcode - free!

update creditcard info

update password recovery information

update emergency recovery e-mail address

confirm emergency recovery e-mail address

gmail

install xcode

watch xcode download

tea

watch xcode download

watch xcode install

pip install oursql

which gcc

gcc[tab]

llvm[tab]

find / -mount | grep gcc

find / -mount | grep llvm

google

xcode > preferences > components > install command line tools

watch command line tools install

hash -r

sudo pip install oursql

ignore warnings

python

python

find /Library/Python ! -perm -055 -print | xargs chmod go+rx

sudo -i

…etc

Routers from China’s Huawei Vulnerable to Trivial Attack # If you’d heard what I’ve heard about Huawei …

… then you would not be surprised by any of this; rumours of measuring coder performance via lines of code per day and of not reusing tested open-source code on the basis that it’s hard to reconcile developer team performance targets against code reuse.

Run away.

In a talk on router hacking during Def Con on Sunday, Recurity Labs’ Felix (FX) Lindner told those in attendance that for the 20th anniversary of Def Con, the gift was China. This is because he was about to give a presentation on the seriously security challenged status of routers manufactured by Huawei.

The talk focused on the fact that Huawei routers were easily compromised. The AR series routers from Huawei (AR18 and AR29) that were tested are marketed for SMBs and smaller networks.

The firmware on the two models tested were found to be vulnerable to trivial exploits; including session hijacking, and stack overflows and heap overflows. One vulnerable function within the firmware of the routers, named ‘sprintf’, has more than 10,000 calls to it, meaning there are plenty of ways to target it.

Presently, the vulnerable hardware found in Asia and the Middle East, but that could change if Huawei gets their way, as they are pushing for expansion in Europe and the U.S.

Researchers FX and Gregor Kopf focused on routers from Huawei that are used in the home and office, but only because the equipment used by telecommunications firms was unavailable. Still, they share the same framework the researchers noted, so the big boxes are likely just as vulnerable.

Sam Erdheim, senior security strategist for network security firm AlgoSec, said that vulnerabilities such as the ones disclosed by Recurity Labs are at the root of security challenges. “It does no good to worry about threats when your core networking devices are providing attackers with an easy way to gain unauthorized access to systems and information.”

When asked about reports earlier this month that firms such as Huawei have pervasive access to a majority of the world’s telecoms. FX commented that nobody needs a backdoor, as the flaws exposed during his talk represent “plausible deniability.”  

FX, also blasted Huawei for not having an easily accessible security contact. He hopes that the disclosure of numerous flaws will force the company to fix its problems, while acting as a wake-up call to their customers.

via Routers from China's Huawei Vulnerable to Trivial Levels of Attack | SecurityWeek.Com.

Developers and Software Testers will resonate with this letter from Steinbeck…

For Reader, read User; for Writer, Developer, and… you can work out the rest:

John Steinbeck – A Book is like a Man

[...]

WRITER
(Losing temper as a refuge from despair)
God damn it. This is my book. I’ll make the children talk any way I want. My book is about good and evil. Maybe the theme got into the execution. Do you want to publish it or not?

EDITORS
Let’s see if we can’t fix it up. It won’t be much work. You want it to be good, don’t you? For instance the ending. The reader won’t understand it.

WRITER
Do you?

EDITOR
Yes, but the reader won’t.

PROOFREADER
My god, how you do dangle a participle. Turn to page so-and-so.

There you are, Pat. You came in with a box of glory and there you stand with an armful of damp garbage. And from this meeting a new character has emerged. He is called the Reader.

THE READER
He is so stupid you can’t trust him with an idea.
He is so clever he will catch you in the least error.
He will not buy short books.
He will not buy long books.
He is part moron, part genius and part ogre.
There is some doubt as to whether he can read.