I think a lot of us have spent the last decade or so going to security
conferences. And frankly, a lot of them have been pretty bad. The last
BlackHat I went to was too big, and you spent much of your time walking
from one end of Cesears to the other if you wanted to see talks. At RSA
the talks
https://www.youtube.com/watch?v=W2qlUk3S-J0
Most penetration tests are still two people for two weeks. It's been
like this for a decade at least. And even when you work closely
together, it can be somewhat annoying to coordinate in a recordable,
controllable way. So CANVAS now has STRATEGIC built
http://vimeo.com/92952484
INNUENDO Movie on WMI and Machine Reporting. You should watch it now.
-dave
signature.asc
Description: OpenPGP digital signature
___
Dailydave mailing list
Dailydave@lists.immunityinc.com
they get to
the INNUENDO team!
Thanks,
Dave Aitel
signature.asc
Description: OpenPGP digital signature
___
Dailydave mailing list
Dailydave@lists.immunityinc.com
https://lists.immunityinc.com/mailman/listinfo/dailydave
http://immunityservices.blogspot.com/2014/04/unethical-hacking-training-available-at.html
I wanted to point out the above blog post - I'm a huge believer in
modern educational techniques and advantages (Khan Academy, etc.) and
the fact is that online training has really ruined the reputation that
in
the current release is pretty smooth as well, and we're hoping to have
this available to the public sometime next week!
Thanks,
Dave Aitel
Immunity, Inc.
signature.asc
Description: OpenPGP digital signature
___
Dailydave mailing list
Dailydave
As you can see from the schedule
http://www.infiltratecon.com/schedule.html INFILTRATE is once again
having a friendly BJJ area. The plan is to keep it much the same as last
year, which is largely unstructured and a lot of fun.
FAQ as follows:
Q: Will Cyborg show up to throw Jeremiah around like
http://vimeo.com/91647732
This little movie shows a couple of the features in INNUENDO that I like
- although it probably does not emphasize enough the difference in
thinking that you have to do with INNUENDO as compared to other
commercial tools.
Still, it's a start. :
-dave
signature.asc
On 4/8/2014 7:28 AM, Halvar Flake wrote:
Hey all,
on Dave's recommendation, here are some slides from a keynote I gave today at
ISACA Nordic Security.
It is non-technical (as keynotes are prone to be), and full of vague
speculation. Perhaps someone will
find the slides
I spent some time talking to various people lately about the concept of
Nobody but us (NOBUS) especially now that the DUAL_EC algorithm is
being researched more closely. People got confused because the papers
that came out didn't really stress that the attacks against Dual_EC
were in the case
http://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/
So I read the Krebs report today with interest because the CISO of
Experian (Stephen Scharf) is an old friend of mine, and probably one of
the better CISO's in the business, imho. So there are a few things I
think
http://www.rsaconference.com/videos/125/the-future-of-security
by
Stephen Trilling
Symantec
SVP Security Intelligence and Technology
(This post continues the tradition of summarizing and peer reviewing all
the RSA Keynotes every year. More here
So, although Katie disagreed with me back in October when this got
posted, I wanted to point out this interesting article:
http://www.newscientist.com/article/mg22129613.600-genetic-mugshot-recreates-faces-from-nothing-but-dna.html#.Uzr_1_ldXAs
;
-dave
On 10/31/2013 2:32 PM, Dave Aitel wrote
Americans in the Intelligence Community like to play dumb - in their
ideal world everyone would assume they were so colossally stupid that
any success they might be having was sheer beginners luck. This is why
the executive management of Huawei assumes that if they buy off a few
Brits here and
http://www.rsaconference.com/videos/126/the-new-model-of-security
Cisco's keynote starts with the traditional eyeball gouging humorous
video making fun of how it's hard to get different security solutions to
work together. Wouldn't it be easier if everyone just bought everything
from Cisco? I'm
http://www.rsaconference.com/videos/128/state-of-the-hack-one-year-after-the-apt1-report
If 97% of the breaches you find are directly attributable to Chinese
hackers (aka, due to keyboard language settings, C2 IP, etc.) then how
much are you missing?! Boggles the mind. You're telling me you don't
One thing I like about Crimea is that if you squint hard enough, you can
see the cyber battle and it's a battle of restraint.
To wit: a while back the Syrian Electronic Army tweeted about messing
with the SCADA systems for a power system. Doing this sort of thing
kills innocent people, and the US
One thing people always ask whenever something like Crimea gets invaded
is about the information warfare angle on it. But if I've heard it once,
I've heard it a thousand times: Only terrible hackers hack in response
to current events. If you know anything at all about hacking you know
that if you
One rather facetious saying that has annoyed everyone for a while is the
whole defenders have to protect everything, attackers just have to get
in once meme. If you talk to defenders who are leading with new
technologies and techniques, the difference really does blur quite a
bit. I was happily
/Security Technology//
/ /What am I blind to?//
/ /Benefits//
/
Email Gateway (FireEye, TrendMicro, etc.)
Best practices for sensitive information recommends endpoint to
endpoint encryption such as GPG/PGP/SMIME. These completely blind any
email gateway. Virtualization based
When we sell people El Jefe related services (which we call Digital
Executive Protection) the first thing they ask is Can we also have the
data. And the answer is, surprising everyone, yes. There's no reason
a company in this day and age can't have their own Splunk or
ElasticSearch engine that
CLICK ME NOW: http://vimeo.com/user18478112/review/86558038/d9b0857399
(this video is completely serious. There are no in-jokes or funny bits).
May 12th through 14th Immunity is holding a Web Hacking class here in
Miami Beach right before INFILTRATE. Probably the part I like best is
the training
With the right kind of eyes, there are no shadows. And likewise, with
the right kind of ears, Obama's NSA speech was the beginning of the
second wave. You can view the transcript
Vanessa is playing upbeat happy music in the office all day, which is
making me optimistic. So hopefully everyone who gets this email will log
in and vote on the two new talks, especially considering JDuck made a
little sign in his own handwriting that says Vote for me! nicely.
As Stephen Colbert Says: A great man said that. Who? Don't know, and
don't want to know!
And frankly, this is where Matt Blaze and his Co-Authors are on the
subject of the 0days, or anything hacking related. I'll pause here to
post a couple links:
*
We try to take the dry season (January for our consulting service) to do
statistics and review of the work we've done all year for our bigger
consulting clients. Alex McGeorge wrote this interesting and brief blog
post on one of his experiences doing a penetration test. You should read it!
http://www.washingtonpost.com/world/national-security/nsa-considers-shifting-database-of-domestic-phone-logs-to-third-parties/2014/01/07/1df6b7f6-7718-11e3-8963-b4b654bcc9b2_story.html
*Should NSA point out holes?*
Among the weapons in the NSA's arsenal are zero day exploits, tools
that take
That was a quote from the article that I wanted to highlight. I
obviously did not write that (in case there is some confusion).
-dave
On 1/8/2014 4:08 PM, Dave Aitel wrote:
http://www.washingtonpost.com/world/national-security/nsa-considers-shifting-database-of-domestic-phone-logs-to-third
So the thing about writing trojans is that they end up being large scale
systems programs. What I mean by that, is one second your thinking about
all the cool stuff you can do with covert channels and P2P networks and
internal cryptographics, and the very next second, once any of that
stuff is
http://opencfp.immunityinc.com/cfp/1/
So far we have 13 talks up for your review - the system is working
pretty well I think and I know there will be a few more added shortly.
So submit your talks now! Sometimes people wonder if program analysis
and related topics are offensive, and *I* think
2013 - A New Hope
So I hesitate to make predictions, but I think it's important to at some
level acknowledge that 2013 was a huge year for information security. A
few things happened... :
o The rebirth of managed security services.
When you don't care about bringing hackers to court, but you
I wanted to cover some of the issues with the NSA Task Force document. I'll
begin abruptly here:
The document recommends splitting the NSA up quite a bit - specifically
moving defense (INFOSEC otherwise known as IAD) to one organization, and
offense (SIGINT, TAO, etc.) to another.
It also
People are strange. For example, they often say You have to assume you
are compromised! and then in the very next breath they are buying more
perimeter equipment like Fireeye and WAF and whatnot. Likewise, people
measuring click-rates on how many people clicked a phishing email, but
a lot of the
Those of us who loved Buffy watch anything Joss Whedon puts out, because
we KNOW he's capable of genius. That said, he always has a hacker
character, and they've been getting progressively worse. Willow is
entirely believable - conflicted, dark, and at the same time cheerfully
nerdy.
Avengers'
http://0xdabbad00.com/wp-content/uploads/2013/11/emet_4_1_uncovered.pdf
https://www.exodusintel.com/files/Aaron_Portnoy-Bypassing_All_Of_The_Things.pdf
So I wanted to compare and contrast the EMET paper with the Portnoy
Bypassing all the Things paper. Because nothing makes me madder than
the
So when writing remote access tools like INNUENDO, you have to throw
out all the parts of your brain that try to do normal RPC (remote
procedure call).
For example, I just wrote a module (yes, I can still write code, sorta),
which sits on the client taking screengrabs every ten seconds. If the
http://www.washingtonpost.com/world/national-security/nsa-apparently-taps-google-yahoo-networks-without-companies-knowledge/2013/10/30/f14749d0-4195-11e3-a751-f032898f2dbc_story.html
Otherwise known as Much ado about basically the wrong thing.
Eric Schmidt is pretty mad about how when you send
So in general my feeling on 0days is that they come from new attack
surfaces. Finding those new attack surfaces takes a lot of initial time
- months in many cases. Usually it requires a lot of painful strip
mining. For example, you may end up having to implement an entire USB
stack from scratch in
So, to continue today's email flood, one thing I've been thinking about,
as it pertains to cyberweapons, is of course, the original information
virus of them all: DNA.
First of all, I think it's pretty clear databases exist that are wide
enough and complete enough (and covert enough) that a
http://www.immunityinc.com/infiltrate/albertogarciaillera.html
Notable quotes:
I'm not a developer, but I'm going to speak about malware. Malware that
I developed. :
Spain is perfect.
I liked this talk because it was about the practical realities of how to
do data exfiltration out of networks in
So there's a concept in BJJ/Judo called base, and it's all about
knowing the center of gravity of your opponent and also knowing where
they're support structures are, and which direction they can flex and
push. I know almost nothing about such things (as evidenced by my
performance at INFILTRATE's
http://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire
So I don't usually link to random blogs from the big boys, but this
article is worth a read. On Twitter Ben Nagy asked what an integrated
team looks like - and though Symantec didn't really DELVE into the
details,
From an attacker's perspective this is the defender attacking the
exploit supply chain - where there are two parties, one which writes the
exploits and the other which uses them, it's hard to cycle new targets
into the mix. Hence, the target that is most prolific is the one that
has been QA'd and
GIFs. We love them. And we love them giving us remote code execution
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3174even more
than we love them showing us how to escape from jail
http://imgur.com/gallery/40Nd2.
The last CANVAS release (the base release, since I also consider the
.
-
Wolfgang
On Tue, Sep 3, 2013 at 1:42 PM, Dave Aitel d...@immunityinc.com wrote:
http://www.qualys.com/research/top10/
So I recently found out about the Qualys Top 10 vulnerabilities list,
which is a pretty cool resource really. Any time a big company with a
lot of data offers a view
Related Twitter threads here:
https://twitter.com/carnal0wnage/status/367734642213801985
https://twitter.com/SelsRoger/status/367751020442832897
One thing you should pay attention to, as someone who works in IT security is
how the various assumptions change over time. It used to be that managing
Tomorrow I'm heading to speak on a panel at a conference on Airport
Security http://www.aci-na.org/event/2747. This is not a topic that in
and of itself I am an expert on, other than, as all of you on this list,
shuddering as I walk past that cage of computer equipment within easy
access as you
You seek the Nothing, but
you have not even mastered having
one thought.
Off and on this week Vanessa and I were still working hard on Immunity's
BlackHat marketing slicks. One night I bought Vanessa a book from Basho
because the Immunity way is that good marketing is about having one true
So Quantum Dawn 2
http://www.sifma.org/services/bcp/cybersecurity-exercise--quantum-dawn-2/
is coming up - and it's a good opportunity to talk about how exercises
like that in general work, and what they find, and so forth. These are
essentially faked table-top exercises, which leads a lot of the
Halvar once said something like People are pretty rubbish at thinking
in graphs, much better at thinking about which fruit looks tastier. I'm
heavily paraphrasing just to troll him, of course. But the concept of
visualizations in our field being incredibly hard is interesting in
terms of the
http://usa.chinadaily.com.cn/opinion/2013-06/26/content_16659265.htm
Normally I don't like to stick my toe in the neutron star's gravity well
that is the NSA-Snowden discussion. But it's important to point out that
there are developing standards of behavior being negotiated not between
China and
http://www.foreignpolicy.com/articles/2013/06/20/the_new_triad#.UcOf4jgwA9M.twitter
With the way everyone talks about triads you'd think humans had three
fingers. But the article was worth reading.
And if you're wondering this morning how STALKER is doing:
And neither one is about Edward Snowden!!! :
http://infiltratecon.com/chriseagle.html --the end of this video is
fixed. It's worth a watch if you weren't at INFILTRATE to see it live.
Often the questions and responses to the questions are the best parts of
any presentation.
Keynotes, unlike normal technical talks, should sometimes cover very
broad areas because your keynote speakers should have broad, interesting
experiences. Chris Eagle's keynote at INFILTRATE 2013 is one of those.
Few people knew that before working with IDA, Chris Eagle was a Naval
Pilot. And yet,
So the first video we're releasing is Stephen Watt's keynote. Yesterday
we released it as a link in Immunity Debugger, so if you were doing real
WORK then you got it early. :
http://infiltratecon.com/watt.html
Of course, the best time to get tickets for INFILTRATE 2014 is now, and
not the day
Andwe're back!
I got a few emails asking where DD went, and the answer is after
INFILTRATE there's lots of work to do. We'll have quite a few
announcements and blog posts and dissertations on social insects and
their relationship to trojan protocols coming in the following days!
For a
So Ben Nagy, who is nothing if not an iconoclast, disagrees with my and
Halvar's general tenets that the easiest analogy to what is happening in
the cyber space is the creation of a new Navy (or set of Navy's). But he
refuses to argue with it when it's not words on paper. So I figured I'd
put down
It's really only after you finish writing a keynote that you know what
it's about. In a sense, everyone around you writes it with you as you
talk through it with people. The one I delivered at SyScan itself was
funnier. . . although even so, not very funny. Not everything is funny!
Even things
http://blog.ioactive.com/2013/04/can-gdbs-list-source-code-be-used-for.html
So reading the above blog is amusing for many reasons. But it did make a
lot of people sit around looking at the funniest games you could play on
modern Linux. For example, Linux Hangman.
Linux Hangman Rules
You take
up the podcast I did
this morning with Ryan Naraine
here:https://www.securityweek.com/podcast-dave-aitel-security-awareness-training-exploit-sales-jiu-jitsu
-dave
signature.asc
Description: OpenPGP digital signature
___
Dailydave mailing list
So a while back I asked what the point of PWN2OWN was, and Mark Dowd
said that of course many people have never SEEN a modern exploit, and
hence it has some strategic value. I think for Google it's also useful
to see what new bugclasses exist in their products that people have not
otherwise
So the above blog is a bit of a tease. But then in a way the best talks
are teases themselves. Essentially it is someone standing at the edge of
a thick forest, pointing into the underbrush, and saying I went a
little bit this way, and it seems good.
INFILTRATE is bigger than last year. Not by a
How to be offensive without being offensive. There's no class in this,
and I have to say that I'm not that great at it and maybe never will be.
I spent all last week with my grandfather who's 92, and lived through
WWII. I'd say fought in WWII, since he was in the Air Force and really
wanted to
Every time I do this people assume it's me posting. I don't post to DD
pretend-anonymously.
-dave
Hello DD,
Sir Tim Berners Lee was in Canberra recently for a Linux conference, and
discussed the events surrounding the untimely death of Adam Swartz.
He mentioned that Adam had wanted his hard
it up. (It might be about something else entirely)
KEYNOTE: Dave Aitel - What's At Stake? - Everything Buffy The Vampire Slayer
Taught Me About Cyberwar
signature.asc
Description: OpenPGP digital signature
___
Dailydave mailing list
Dailydave
So one thing I think is interesting is that New York Times story.
Here's how it goes, in bullet points:
1. NYT knows it's ruffling feathers, so it hires ATT (??) to watch
their network
2. ATT sees something, so NYT calls in Mandiant
3. Mandiant and NYT let the Chinese hack things and watch them
http://venturebeat.com/2013/01/17/convicted-hacker-steven-watt-on-aaron-swarzt-its-just-not-justice/
--
INFILTRATE - the world's best offensive information security conference.
April 2013 in Miami Beach
www.infiltratecon.com
signature.asc
Description: OpenPGP digital signature
After reading a lot of Grey's Anatomy's blogs I came upon the snippet
that in fact, the name Grey indicated her character saw things always
in shades of grey, as opposed to everyone else on the show, who tend to
be a bit more black and white. It's snazzy wordplay like that that gets
it 9 seasons
, there appear to be new rules for cleared defense contractors
who now have to report to the DoD any intrusions. (Perhaps this is not new?)
It's quite interesting to read through though.
-dave
On Mon, Jan 7, 2013 at 1:04 PM, Dave Aitel d...@immunityinc.com
mailto:d...@immunityinc.com wrote
In addition to amazing keynotes, INFILTRATE is starting to put up some
speakers. To start, Matias Soler is going to talk about a project he has
been working on called The Chameleon; A Cellphone-based USB
impersonator http://infiltratecon.com/speakers.html . Remember to get
the hotel password from
I'm back from NZ, and because it is a 24 hour plane ride, and last time
I went to work the very next day and did idiotic things, I promised
myself I wouldn't work today. Idiotic things are still OK, just not at work.
However, I couldn't resist posting this tidbit from our main IRC.
14:29 a
So the question is: Can internet hacktivism cause a nation state to
kindly ask Google to remove a video that Muslims hate, the same way
Google removes known terrorist videos or videos of your baby dancing to
Britney Spears tunes under copyright reasoning.
So far the answer is no. But the Al
I don't normally read Honeynet.org, but when I do...well I have to say
I'm impressed. http://www.honeynet.org/node/1004
Building a better honeypot is a worthy effort - one that may possibly
have a big place in the future of network security insomuch as right now
most people have forgotten the
http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/
So I'm no fan of Weev aka Andrew Auernheimer. The man is seriously
disturbed and it's odd to see people support him
https://twitter.com/maradydd/status/271067146145107968 on Twitter.
Just as an example, here's some bizarre rape
CANVAS added HTTP/S + Proxy support to Java MOSDEF last week for the
release. http://www.immunityinc.com/news-latest.shtml This means that
when you attack people with Java client-sides you get a much higher rate
of success against Financial and Federal Govt networks, which is awesome
in its own
The hard thing, with these product demo movies, is to imagine how we
would have done it 5 years ago. Is it any different from today? If not,
then we need to work harder...but in this case, I think it's a pretty
smooth show. You get to see the various new things from this month's
CANVAS release,
I remember when people were wondering when Microsoft was going to kill
Linux off. But these days, Linux exploitation is more in demand than
ever. We see it in consulting engagements all the time, for example.
Also, now that it's the new federal business year, it's time for
everyone to think about
So I'm in DC today (ostensibly for the Plan X meeting, but I didn't
register in time, and I don't have the necessary clearances anyways, so
instead, heading to the Immunity DC office, etc.) and of course, the
whole area is suffused in politics the way Palo Alto is suffused in VC
money or Paris is
Some people don't know how to use email, so I'm forwarding things for them.
-dave
Original Message
Subject:Re: [Dailydave] Friends, Romans...
Date: Thu, 27 Sep 2012 20:18:05 +0700
From: the grugq thegr...@gmail.com
To: Dave Aitel d...@immunityinc.com
On 09
Good Muse Everyone!
http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html
My fav. line in the above is There is no evidence to date that any
source code was stolen.
I mean, aside from the obvious fact that the attackers were knowledgable
enough about the
So I just got back from Ekoparty, in Argentina. Ekoparty has great
technical content - much of which I listened to through a translator
service they had (which was surprisingly effective). Of course,
sometimes the interesting talks are not technical at all (and, luckily
for me, in English), as is
While I think having Stephen Watt and Chris Eagle as keynote speakers is
enough reason for everyone to come to INFILTRATE, apparently the new
hotness is having sports. At BlackHat we did indoor soccer via Hack-Cup
http://hack-cup.com/ and it was awesome, even for those of us who
otherwise never
http://infiltratecon.com/speakers.html
So like many of you I'm rarely impressed by capture the flags. There's
whole countries out there with working Internets but without functioning
governments, isn't that enough for people? Also, I tend to lose CTFs to
SK Chong whenever I play, which is
So these are great videos:
http://www.youtube.com/user/USNavalInstitute/videos
You'll notice the one by General Cartwright (which we twittered/posted
earlier) has about 2000 views, and all the others have like, 10. But
that could just be because his video is awesome.
Panels are always hard to
http://www.hack-cup.com/add-your-team
And of course, in the real-world hack cup, we have FLAME. Hooray for
naming schemes!
http://video.foxbusiness.com/v/1665315023001/whos-behind-cyber-attack-against-iran/
-dave
--
INFILTRATE - the world's best offensive information security conference.
So now that Max is six, I get to read comic books while pretending
they're for him. And one thing you learn quickly is that the comic books
people revere - the old-school Stan Lee era comic books - are godawful.
They're just terrible. The art is terrible. The writing is campy and
flowless and just
http://www.washingtonpost.com/national/clinton-state-department-hacked-al-qaida-sites-in-yemen-part-of-covert-war-on-terror/2012/05/23/gJQAKFOdlU_story.html
So you know how when you're at a stoplight, and you see flashing lights
from a fire truck behind you, and you'll carefully maneuver to pull
though, iiuc.
-dave
On 5/24/12 10:47 AM, Dave Aitel wrote:
http://www.washingtonpost.com/national/clinton-state-department-hacked-al-qaida-sites-in-yemen-part-of-covert-war-on-terror/2012/05/23/gJQAKFOdlU_story.html
So you know how when you're at a stoplight, and you see flashing lights
from
So for those of you who do not follow the twitters...IntevyDis released
a new version of VulnDisco Mobile, which includes an untethered
jaibreak for the latest iOS.
http://www.idownloadblog.com/2012/05/22/new-jailbreak-vulndisco-mobile/
You can watch the movie to see a CANVAS node pop up as
As for getting into the power grid, I can't see that that's realistic,
Schmidt said. http://www.wired.com/threatlevel/2010/03/schmidt-cyberwar/
Likewise as that Threat Point article from the start of his time in the
White House points out:
People have to recognize that when we close the door
Immunity is ten years old now - and like any ten year old, it is
interested mostly in shiny things that bleep and bloop. :
But also like any ten year old we are growing and always hungry, and so
if you're interested in working in the new DC office or Miami Beach HQ,
please let me know. We only
So we put my RSA 2012 talk up, along with the comments from the viewers that
RSA collected.
I 100% agree with every comment in the feedback form, which include such bon
mots such as You reek of pride. Frankly, I am quite proud of what the
offensive community has been able to do over the last
When I watch Mark Wuergler's INFILTRATE 2012 talk on wireless attacks it
makes me think of the tiny Fear Demon from Buffy
http://upload.wikimedia.org/wikipedia/en/d/d7/Buffy4x04.jpg. We had to
squeeze him down into a tiny window at the top right. All you can really
see about him is that he's
We're working our way through the INFILTRATE 2012 movies slowly - each
one has to be re-rendered in iMovie since the original recording was
done into some Silverlight applet. So we find we are re-syncing the
slides with the videos by hand, which is less than ideal. Nonetheless,
the first videos
Why is it that every conference has gone the full hog and decided that
you must sell keynotes? When I tried to watch the Whitman Diffie
keynote at BH EU, it was proceeded by a 30 minute Fortigate
infomercial. RSA had like 5 paid-for keynotes for every one real
keynote. Everyone who hasn't should
So I guess my summary would be : Better than expected so far!
The first talk I saw, was a panel discussion lead by CloudStrike's
Dmitri Alperovitch (who is uniquely confused as to how new his Android
exploit talk is - I mean there's products out there that do everything
his talk discusses. Then
Movies and Links of the day!
If you haven't seen the new SILICA Release movie, then you should. Team
SILICA worked hard at making the WPS attack as easy to make work as
possible. There are a lot of popular routers where you have NO WAY to
turn this feature off. I love that.
Dear DD - attached is some red meat. :
-dave
Introduction
It is, of course, very possible that hackers will get to help choose
America's next president. Possibly not in the most direct way (aka,
attacking the electoral system directly, the candidates, or the super
PACs that support their
INFILTRATE 2012 is over (as of an hour from now). I will say that all
the talks, especially the keynotes, exceeded our expectations. That's a
good thing - we had high expectations even of Thomas Lim!
Here is one review:
http://blog.opensecurityresearch.com/2012/01/infiltrate-wrap-up.html
Just how bad is that Sec-Consult Apache Struts vulnerability...
(from their advisory)
___
2.) Remote command execution in Struts = 2.3.1 (CookieInterceptor)
Given struts.xml is configured to handle all cookie names (independent
of limited cookie values):
action name=Test
201 - 300 of 326 matches
Mail list logo
