Wednesday, March 25, 2009

Mixed links

225868856_a0ffef1924_oA paper about the state of the databases which store our information in the EU. I skimmed trough it, probably it is more interest to people who are concerned about this aspect.

Advances in HTTP encapsulated payloads – a presentation about Metasploit using outbound connections. Nothing too revolutionary, but a good reminder that just because you only allow outbound HTTP traffic, it doesn’t mean that you are safe.

IE8 has issues with a lot of sites in the restricted zone list – this wouldn’t be an issue, but apparently Spyware S&D uses this method to block sites. While in some sense adding 10 000+ sites is excessive, but in the same time if this worked acceptably with older versions, it is a regression (along the same lines: having a lot of entries in the hosts file – for the same reason – to block certain sites – makes the DNS service spike an 100% for several seconds. as a sidenote Ubuntu doesn’t seem to have this problem :-)).

Via Security Balance: the Microsoft Azure “cloud” went down for 22 hour because of patching. Last year Amazon EC2 want offline for a couple of hours. On average these services probably have a much better SLA level than 99% of the companies, yet still people point to these incidents as risks...

From the GrandStreamDreams blog:

  • An update to Network Monitor, Microsoft’s version of Wireshark (if you have to install a software, why not use the better product, ie. Wireshark? :-))
  • DD in Windows Forensics [PDF]
  • Solving the This driver is not signed problem – ok, this is bad from a security standpoint. This means that any malware with administrator privileges (which it already must have to install rootkits) can simply do a two-step process to install the rootkit: (a) install its own certificate and (b) install the rootkit. Why not require all drivers to be signed by a central authority? For legal reasons I assume...
  • Is Windows Forensic Edition Forensically Sound? – yes if you know what settings to change. But for the love of the all mighty: these settings should have been set by default! I know that it is more convenient to have the partitions mounted auto-magically, but then don’t call it “forensic” edition

Protocol coverage metrics – it got me thinking: wouldn’t it be nice to have a formal grammar for the protocols, so that we can check if the implementations conform to them?

From taint.org: Ts'o: Delayed allocation and the zero-length file problem – essentially ext4 changed the commit delay from 5 to 60 seconds, so if your application crashes, though.

The Metasploit performance can be improved considerably by a simple patch – this is really needed, because it is slooow. Also, memory reallocation is slow, no matter in what language you do it.

Via ReverseEngineering Reddit: The Beginners Guide to Codecaves. A nice article. It also talks about TSearch, a useful tool for quickly localizing and editing variables in the applications memory space.

Retro Computing presentation – what you can use an older computer for.

Freshmeat.net has a new design – very Web 2.0 :-)

Via Slashdot: proof of concept BIOS level rootkit. Since the method to persist from 16 bit mode to already exists, it is probable that it will be included in some targeted attacks.

Dan Kaminsky’s slides from CanSecWest – interesting stuff, as always. I very much liked the method of using faked FTP connections to set up port forwarding at the router.

Via chimeric.de (by a comment from Andreas Gohr): Augmented reality via RjDj.

Picture taken from Hamed Saber's photostream with permission.

No comments:

Post a Comment